Data Breach Response Policy

Crafting clear response policies to protect Hampden Consultancy Group

Effective Date: 2 June 26

Data Protection Officer: Tom Billingham

Last updated: 2 June 2026

Next review: 1 June 2027

Hampden Consultancy Group (HCG) is committed to protecting personal data and to responding quickly and effectively to any data breach. This policy sets out our structured approach to identifying, managing and reporting personal data breaches in line with the UK GDPR, including the duty to notify the Information Commissioner's Office (ICO) within 72 hours where the breach is likely to result in a risk to people.

If in doubt, report it. Any member of staff who becomes aware of an actual or suspected breach, including a near miss, must tell the Data Protection Officer immediately at info@hampdencg.com. The 72-hour clock for notifying the ICO starts when HCG becomes aware of the breach, so speed matters. It is always better to raise something that turns out to be minor than to stay silent.

Purpose and scope

This policy applies to everyone who works for or on behalf of HCG, including employees, contractors and associates. It covers all personal data that HCG handles, whether we hold it as a data controller for our own business or as a data processor on behalf of a client.

What is a personal data breach?

A personal data breach is any security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. It is not only about data being stolen or seen by the wrong person; losing access to data, or it being changed or destroyed, also counts.

Examples include:

  • a cyber attack or unauthorised access to a system or account;

  • personal data sent to the wrong recipient, by email or post;

  • loss or theft of a laptop, phone or USB drive containing personal data;

  • personal data being altered or deleted without permission;

  • loss of access to data, for example through ransomware or a failed system with no usable backup.

How to report a breach

All breaches and suspected breaches must be reported without delay to the Data Protection Officer by email at info@hampdencg.com.

When you report, include as much of the following as you can, but do not wait to gather everything before raising it:

  • what happened, and when you became aware of it;

  • what data and roughly how many people may be affected;

  • whether it involves a client's data or HCG's own data;

  • anything you have already done to contain it.

Our response procedure

HCG follows a clear, time-bound process. The timeframes below are our targets from the point we become aware of an incident.

Step 1 Identify

What happens - Confirm that a breach has happened and understand what has occurred.

Target timeframe - Immediately

Step 2 Contain

What happens - Isolate the affected systems, accounts or processes to stop the breach spreading or worsening.

Target timeframe - As soon as possible, within 2 hours

Step 3 Assess

What happens - Evaluate the severity, the data involved, and the likely risk to the people affected.

Target timeframe - Within 24 hours

Step 4 Report internally

What happens - Notify the Data Protection Officer so they can take ownership of the response.

Target timeframe - Within 24 hours

Step 5 Document

What happens - Record the facts, decisions and actions in the breach register.

Target timeframe - Ongoing

Step 6 Notify the ICO

What happens - Report to the ICO if the breach is likely to result in a risk to people's rights and freedoms.

Target timeframe - Within 72 hours of becoming aware

Step 7 Notify individuals

What happens - Tell affected individuals where the breach is likely to result in a high risk to them.

Target timeframe - Without undue delay

Step 8 Post-incident review

What happens - Identify the root cause and put improvements in place to prevent a recurrence.

Target timeframe - Within 7 days

Assessing the risk

Not every breach needs to be reported to the ICO, but every breach must be assessed and recorded. The Data Protection Officer decides what notifications are needed, based on the likely risk to the people affected.

  • Notify the ICO when the breach is likely to result in a risk to individuals' rights and freedoms (for example a risk of distress, financial loss, identity theft or discrimination).

  • Notify the affected individuals when the breach is likely to result in a high risk to them, so they can take steps to protect themselves. Tell them in plain language what happened, the likely consequences, and what they and we are doing about it.

  • Record but do not report where the breach is unlikely to result in a risk. The reasons for this decision must still be documented.

When HCG acts as a data processor

Where HCG processes personal data on behalf of a client (for example through our DPO as a Service or other engagements), the client is the data controller and HCG is the processor. In that situation we do not report directly to the ICO. Instead, we must notify the client controller without undue delay after becoming aware of the breach, and support them with the information they need to meet their own obligations. The relevant contract or data processing agreement may set shorter timescales, which we will follow.

Roles and responsibilities

Data Protection Officer

Owns the response, decides on ICO and individual notifications, manages the breach register, and ensures the process is followed. Acts as the single point of contact for each incident.

IT support

Leads technical containment, investigation and remediation, and preserves evidence and logs.

All staff

Stay alert, and report any actual or suspected breach (including near misses) to the Data Protection Officer immediately.

Record-keeping: the breach register

HCG keeps a record of all personal data breaches, whether or not they are reported to the ICO. For each incident the register captures the facts of the breach, its effects, the risk assessment, the decisions taken and the remedial action. This is a legal requirement under the UK GDPR and allows the ICO to verify our compliance. Records are retained in line with our Data Retention and Deletion Policy.

Training and awareness

All staff receive guidance on recognising and reporting breaches as part of induction and on a regular basis afterwards. Because most breaches start with human error, awareness is our most important safeguard.

Review

This policy is reviewed at least once a year, and after any significant incident, to ensure it remains effective and up to date with the law and our practices.

FAQs

What is a data breach?

A data breach is when sensitive information is accessed without authorisation.

Why have a response policy?
Who is responsible for response?
How soon must breaches be reported?
What steps follow a breach?

It helps quickly manage breaches and reduce potential damage.

Our designated response team handles investigations, notifications, and recovery steps.

Breaches should be reported immediately to minimize risk and comply with regulations.

We assess impact, notify affected parties, and strengthen security measures.

Hampden Consultancy Group
Our Policies
Contact Info
info@hampdencg.com

© 2026. HCG Copyright. All rights reserved.