Data Breach Assessment and Action Plan
(GDPR Compliant)

Summary

This template data breach assessment template can be used by your data protection officer (DPO) or head of compliance to assess and manage an actual or suspected personal data breach. This template contains practical guidance, drafting notes, and optional clauses. There is a separate template for staff to notify your DPO or head of compliance of actual or suspected personal data breaches and also a register to record and monitor breaches. Data breach templates are intended to ensure that you capture the information required by the General Data Protection Regulation (GDPR), notify the Information Commissioner's Office (ICO) and/or affected data subjects where required by the GDPR and comply with guidance from the ICO. It reflects both compulsory notification requirements in the GDPR and ICO guidance. On discovering a data breach, the first thing you should do is assemble a data breach team, comprising the various people within your company who are best placed to respond to the breach, e.g., DPO (if you have one), head of IT, head of compliance and, if employee data is involved, your head of HR. Having assembled your data breach team, you can then take appropriate action to: • Contain the data breach and (so far as reasonably practicable) recover, rectify, or delete the data that has been lost, damaged or disclosed • Assess the breach (using this template) and record it in a data breach register • Notify appropriate parties of the breach • Take steps to prevent future breaches See Articles 33 and 34 of Regulation (EU) 2016/679, EU GDPR and Assimilated Regulation (EU) 2016/679, UK GDPR. See also ICO: Guide to the UK GDPR, Personal data breaches. For additional GDPR resources, see General Data Protection Regulation (GDPR) Overview Resource Kit.