Data Breach Policy (GDPR-Compliant)
This Data Breach Policy sets out the steps that should be taken when
dealing with a data breach.
A data breach (which may or may not involve personal data) can take many
forms. It may, for example, involve the loss or theft of data, the
unauthorised access to, use of, or modification of data, or something
apparently less direct such as equipment damage, human error, or the loss
or theft of equipment.
Data breaches, whether suspected or actual, should be reported to the
responsible individual (or department) within your business. This may be
your Data Protection Officer, if you have one, or it may be someone else.
Having this point of contact clearly identified is important.
Initial steps to be taken upon the reporting of a data breach should
include containing the breach itself, determining the full particulars of
it, working out what needs to be done to resolve and remedy the situation
properly, and establishing who needs to be notified. At the early stages,
this might include the police if equipment or records have been stolen.
A full investigation and assessment of the breach should go into more
detail, determining who will be affected by the breach and to what degree,
how much data is involved, how many data subjects will be affected, the
consequences of the breach and more.
Some personal data breaches must be notified to the Information
Commissioner’s Office and to the individual data subjects whose data is
involved in the breach. In some cases, only the ICO needs to be informed,
and in other cases, nobody does. This policy sets out some key
considerations to help determine who needs to be notified. If a decision is
made not to notify, this must be documented, along with the reasoning.
Once the breach itself is resolved and all necessary parties notified,
steps should be taken to prevent similar breaches from occurring in the
future. Existing practices, procedures, and measures should be critically
evaluated, and changes and improvements implemented.
Each of the above stages is set out in this Data Breach Policy and most
stages should also be documented in a Data Breach Register. Documenting
everything is vitally important and will assist you in complying with the
GDPR’s accountability principle.
Failure to notify a personal data breach when required to do so can result
in a significant fine of up to €10m or 2% of global turnover (although, as
is the case with the larger penalties under the GDPR, SMEs should not
expect bankruptcy – the ICO will be fair and proportionate). When in doubt,
notify, and always refer any questions to the ICO or a lawyer specialising
in data protection law.
Optional phrases / clauses are enclosed in square brackets. These should be
read carefully and selected so as to be compatible with one another. Unused
options should be removed from the document.
This Data Breach Policy contains the following sections:
2. Scope of Policy
3. Data Breaches
4. Internal Reporting
5. Initial Management and Recording
6. Investigation and Assessment
8. Evaluation and Response
9. Policy Review and Implementation
This Data Breach Policy is in open format. Either enter the requisite
details in the highlighted fields or adjust the wording to suit your
Once you have purchased access to the appropriate document folder click on
the “Download Document” link below. You will be asked what you want to do
with the file. It is recommended that you save the document to a location
of your choice prior to viewing.