Documents for Business
- » Workplace and Environment
- » Employment law
- » Appraisals, promotion and training
- » Changing terms & conditions and TUPE
- » Contractual clauses
- » Data protection
- » Disciplinary, capability and dismissal
- » Flexible working
- » Grievances
- » Pay and pensions
- » Personnel management
- » Policies
- » Probation
- » Recruitment
- » Redundancy
- » Sickness absence
- » Termination
- » Time off and holidays
- » Trade unions
- » Work and parents
- Environment
- Fire safety
- HR
- Health and safety
- Risk assessment
- Safe systems of work
- Safety briefings
- Staff handbooks
- » Employment law
- Tax and Business
Documents for Business
In excess of 1,000 customisable documents covering every conceivable business issue.Introduction to this document
GDPR data breach policy and response plan
Use our document to ensure the prompt and effective detection, investigation, reporting and resolution of personal data breaches.
Personal data breach
Under the UK GDPR, certain personal data breaches must be notified to the Information Commissioner’s Office (ICO) and sometimes affected data subjects need to be told too. A personal data breach is a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
ICO notification
A personal data breach is reportable to the ICO unless it’s unlikely to result in a risk to the rights and freedoms of individuals. It is likely to result in that risk if, for example, it could result in discrimination, identity theft, fraud, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage. Where a breach is reportable, the ICO must be notified without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach. If the notification isn’t made within 72 hours, you’ll need to also set out the reasons for your delay. The notification should at least include: (a) a description of the nature of the breach including, where possible, the categories and approximate number of affected data subjects and the categories and approximate number of affected records; (b) the name and contact details of the data protection officer or other point of contact; (c) a description of the likely consequences of the breach; and (d) a description of the measures taken, or to be taken, to address the breach and mitigate its possible adverse effects.
Affected data subjects
Where the breach is likely to result in a “high risk” to the rights and freedoms of individuals, you’ll also need to communicate the breach to the data subject without undue delay. You’ll need to describe to them what the nature of the breach is, and you must provide the information set out in (b), (c) and (d) above. You should also provide practical advice on how they can themselves limit the damage, e.g. resetting their passwords. You’ll need to contact data subjects individually, unless that involves disproportionate effort, in which case a public communication should be used.
Data breach register
You must keep a record of all personal data breaches, whether or not they’re notifiable to the ICO, to include the facts relating to the breach, its effects and the remedial action taken.
Policy
Our GDPR Data Breach Policy and Response Plan puts a process in place to detect, investigate, report and respond to personal data breaches. It includes guidance on what constitutes a personal data breach and when notification to the ICO or communication to affected data subjects is necessary, as well as setting out a data breach reporting procedure for staff. We’ve also included a template response plan for you to complete during the investigation, reporting and resolution stages.
