Introduction to this document

GDPR data breach policy and response plan

Use our document to ensure the prompt and effective detection, investigation, reporting and resolution of personal data breaches.

Personal data breach

Under the EU General Data Protection Regulation (GDPR), certain personal data breaches must be notified to the Information Commissioner's Office (ICO) and sometimes affected data subjects need to be told too. A personal data breach is a "breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed".

ICO notification

A personal data breach is reportable to the ICO unless it's unlikely to result in a risk to the rights and freedoms of individuals. It is likely to result in that risk if, for example, it could result in discrimination, identity theft, fraud, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage. Where a breach is reportable, the ICO must be notified without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach. If the notification isn't made within 72 hours, you'll need to also set out the reasons for your delay. The notification should at least include: (a) a description of the nature of the breach including, where possible, the categories and approximate number of affected data subjects and the categories and approximate number of affected records; (b) the name and contact details of the data protection officer or other point of contact; (c) a description of the likely consequences of the breach; and (d) a description of the measures taken, or to be taken, to address the breach and mitigate its possible adverse effects.

Affected data subjects

Where the breach is likely to result in a "high risk" to the rights and freedoms of individuals, you'll also need to communicate the breach to the data subject without undue delay. You'll need to describe to them what the nature of the breach is, and you must provide the information set out in (b), (c) and (d) above. You should also provide practical advice on how they can themselves limit the damage, e.g. resetting their passwords. You'll need to contact data subjects individually, unless that involves disproportionate effort, in which case a public communication should be used.

Data breach register

You must keep a record of all personal data breaches, whether or not they're notifiable to the ICO, to include the facts relating to the breach, its effects and the remedial action taken.

Policy

Our GDPR Data Breach Policy and Response Plan puts a process in place to detect, investigate, report and respond to personal data breaches. It includes guidance on what constitutes a personal data breach and when notification to the ICO or communication to affected data subjects is necessary, as well as setting out a data breach reporting procedure for staff. We've also included a template response plan for you to complete during the investigation, reporting and resolution stages.