Personal data breach notification policy

This personal data breach notification policy, which is designed to help compliance with the GDPR and takes full account of the Article 29 Working Party's guidance on personal data breach notifications, sets out a procedure which a business may follow when personal data stored or processed by the business is subject to a breach.

A personal data breach under the GDPR is defined as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed by the company". 

The policy covers notifications by a data controller to a supervisory authority, such as the Information Commissioner's Office in the UK, notifications by a data processor to the data controller whose data is the subject of the breach and notifications by a data controller to data subjects (ie human beings). There are three schedules to the policy contain notification forms, one for each type of notification.

The policy is mainly concerned with notification, and larger organisations at least should combine this document with more detailed policies covering detection and response.

1. Introduction
2. Definitions
3. Detection of personal data breaches
4. Responding to personal data breaches
5. Notification to supervisory authority
6. Notification to data controller
7. Notification to data subjects
8. Other notifications
9. Reviewing and updating this policy

Schedule 1 (Notification of personal data breach to supervisory authority)
Introduction

1. Description of personal data breach
2. Categories of data subject affected
3. Number of data subjects affected
4. Categories of personal data concerned
5. Number of records concerned
6. Likely consequences of breach
7. Measures taken to address breach
8. Has breach been notified to data subjects?
9. Late report of breach
10. Contact details

Schedule 2 (Notification of personal data breach to data controller)
Introduction

1. Description of personal data breach
2. Categories of data subject affected
3. Number of data subjects affected
4. Categories of personal data concerned
5. Number of records concerned
6. Likely consequences of breach
7. Measures taken to address breach
8. Contact details

Schedule 3 (Notification of personal data breach to data subject)
Introduction

1. Description of personal data breach
2. Categories of personal data concerned
3. Likely consequences of breach
4. Measures taken to address breach
5. Steps to mitigate breach
6. Contact details

Ask a question

A copy of this personal data breach notification policy is included in the following pack:

• GDPR pack