Data Breach Response Policy
Data Breach Response Policy
Effective Date: 1 June 2025
Purpose
This policy outlines how HCG will respond to any personal data breach. It ensures compliance with UK GDPR, particularly the obligation to report certain breaches to the Information Commissioner’s Office (ICO) within 72 hours.
Definition of a Data Breach
A personal data breach is any security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.
Examples include:
- Cyberattacks or unauthorised access
- Accidental sharing of data with the wrong person
- Theft or loss of devices containing personal data
Response Procedure
Step | Action | Timeline
- 1. Identify | Confirm breach and its nature | Immediately
- 2. Contain | Isolate affected systems or processes | Within 2 hours
- 3. Assess | Determine severity and potential impact | Within 24 hours
- 4. Report Internally | Notify the Data Protection Lead | Within 24 hours
- 5. Document | Record full details of the breach and response | Ongoing
- 6. Notify ICO | If risk to individuals’ rights/freedoms is likely | Within 72 hours
- 7. Notify Affected Individuals | If high risk to data subjects is present | Without undue delay
- 8. Post-Incident Review | Analyse root cause and improve systems | Within 7 days
Roles and Responsibilities
Data Protection Lead: Coordinates response and ICO notifications
IT Support: Containment and technical resolution
All Staff: Must report suspected breaches immediately
Contact
To report a breach or suspected breach, contact:
Email: [email protected]