Data Breach Response Policy

What is a data breach?

A data breach under GDPR would include the following:

  • Access by an unauthorised third party
  • Deliberate or accidental action (or inaction) by a controller or processor
  • Sending personal data to an incorrect recipient
  • Computing devices containing personal data being lost or stolen or hacked
  • Alteration of personal data without permission
  • Loss of availability of personal data


    Process to be following in the event of a breach

    Action Responsible party
    Identify and halt any active breach to prevent further loss SMT
    Provide information regarding the breach and append to “Data Breach Register” using form herein SMT
    Assess the nature of the breach and determine if impacted users and ICO should be informed

    (must be within 72 hours of identification)

    Duty Director


    Conduct investigation and record lessons learned in register SMT
    Consider issuing an email in line with “misdirected communications” template SMT
    Provide information regarding the loss and provide updated text for “Initial discovery email” SMT
    Identify and classify the data that was compromised and the individuals who may be affected SMT
    Email all effected contacts with “initial discovery email” SMT
    Notify Information Commissioner’s Office Duty Director

    Data Breach Record Form

    This form should be completed and appended to the Register of Data Breaches which is held by the Management Team.

    Example Emails/Templates for use in breach situation

    These emails should be continually amended for use as outlined in the above policy:

  • Example text for “Initial Discovery” email (serious breaches)
  • Example text for “Breach Confirmation” email (serious breach)
  • Example text for “Misdirected Communications” email (minor breach)


    Please note: SMT refers to Senior Management Team