Personal Data Breach Plan
(UK GDPR Compliant)

Summary

This template Personal data breach plan can be used by organisations to inform their staff and managers of the actions to take on discovering a personal data breach (including a cybersecurity breach). It reflects reporting requirements in the UK GDPR and takes into account relevant guidance from the Information Commissioner's Office. This template contains practical guidance and drafting notes. This template incorporates a process for dealing with actual or suspected personal data breaches. A personal data breach plan may also be known as a data breach policy. This template can also be used for cybersecurity breaches that involve the loss, damage, or unauthorised access to personal data. On discovering a data breach, the first thing you should do is assemble a data breach team comprising the various people within your organisation who are best placed to respond to the breach, e.g., the Data Protection Officer (if you have one), risk partner, head of IT, head of compliance, head of legal and, if employee data is involved, your head of HR. Having assembled your data breach team, you can then take appropriate action to: • Contain the data breach and (so far as reasonably practicable) recover, rectify or delete the data that has been lost, damaged, or disclosed • Assess the breach and record the breach in your data breach register • Notify appropriate parties of the breach • Take steps to prevent future breaches There is a separate form for staff to notify your data protection or compliance officer of actual or suspected data security breaches. For additional GDPR resources, see General Data Protection Regulation (GDPR) Overview Resource Kit. For a full listing of U.S. data breach notification content, see Data Breach Notification Resource Kit.