This personal data breach notification policy, which is designed to help compliance with the GDPR and takes full account of the Article 29 Working Party's guidance on personal data breach notifications, sets out a procedure which a business may follow when personal data stored or processed by the business is subject to a breach.
A personal data breach under the GDPR is defined as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed by the company".
The policy covers notifications by a data controller to a supervisory authority, such as the Information Commissioner's Office in the UK, notifications by a data processor to the data controller whose data is the subject of the breach and notifications by a data controller to data subjects (ie human beings). There are three schedules to the policy contain notification forms, one for each type of notification.
The policy is mainly concerned with notification, and larger organisations at least should combine this document with more detailed policies covering detection and response.