Data Breach Policy
This Data Breach Policy sets out the steps that should be taken when dealing with a data breach.
This document has been updated for compatibility with the UK GDPR. It is ready for use from the start of 2021.
A data breach (which may or may not involve personal data) can take many forms. It may, for example, involve the loss or theft of data, the unauthorised access to, use of, or modification of data, or something apparently less direct such as equipment damage, human error, or the loss or theft of equipment.
Data breaches, whether suspected or actual, should be reported to the responsible individual (or department) within your business. This may be your Data Protection Officer, if you have one, or it may be someone else. Having this point of contact clearly identified is important.
Initial steps to be taken upon the reporting of a data breach should include containing the breach itself, determining the full particulars of it, working out what needs to be done to resolve and remedy the situation properly, and establishing who needs to be notified. At the early stages, this might include the police if equipment or records have been stolen.
A full investigation and assessment of the breach should go into more detail, determining who will be affected by the breach and to what degree, how much data is involved, how many data subjects will be affected, the consequences of the breach and more.
Some personal data breaches must be notified to the Information Commissioner’s Office and to the individual data subjects whose data is involved in the breach. In some cases, only the ICO needs to be informed, and in other cases, nobody does. This policy sets out some key considerations to help determine who needs to be notified. If a decision is made not to notify, this must be documented, along with the reasoning.
Once the breach itself is resolved and all necessary parties notified, steps should be taken to prevent similar breaches from occurring in the future. Existing practices, procedures, and measures should be critically evaluated, and changes and improvements implemented.
Each of the above stages is set out in this Data Breach Policy and most stages should also be documented in a Data Breach Register. Documenting everything is vitally important and will assist you in complying with the UK GDPR’s accountability principle.
Failure to notify a personal data breach when required to do so can result in a significant fine of up to £8.7m or 2% of global turnover (although, as is the case with the larger penalties under the UK GDPR, SMEs should not expect bankruptcy – the ICO will be fair and proportionate). When in doubt, notify, and always refer any questions to the ICO or a lawyer specialising in data protection law.
Optional phrases / clauses are enclosed in square brackets. These should be read carefully and selected so as to be compatible with one another. Unused options should be removed from the document.
This Data Breach Policy contains the following sections:
2. Scope of Policy
3. Data Breaches
4. Internal Reporting
5. Initial Management and Recording
6. Investigation and Assessment
8. Evaluation and Response
9. Policy Review and Implementation
This Data Breach Policy is in open format. Either enter the requisite details in the highlighted fields or adjust the wording to suit your purposes.
Once you have purchased access to the appropriate document folder click on the “Download Document” link below. You will be asked what you want to do with the file. It is recommended that you save the document to a location of your choice prior to viewing.