UKData & PrivacyLegally Required
Data Breach Response Procedure
Procedure for identifying, containing, assessing, and reporting personal data breaches.
What this document covers
Under the UK GDPR, you must report certain personal data breaches to the ICO within 72 hours of becoming aware of them. This procedure covers how to identify a breach, contain it, assess the risk, decide whether to notify the ICO and affected individuals, and learn from it.
Key sections included
- Breach identification
- Containment
- Risk assessment
- ICO notification
- Individual notification
- Documentation
- Post-incident review
Frequently asked questions
Does every breach need to be reported to the ICO?
No — only breaches that are likely to result in a risk to individuals' rights and freedoms. But ALL breaches must be documented internally.
Document details
- Legal basis
- UK GDPR, Articles 33-34
- Enforced by
- ICO
- Penalty for absence
- Failure to notify the ICO of a reportable breach within 72 hours: fines up to £8.7 million or 2% of turnover.
- Category
- Data & Privacy
Related documents
Generate your Data Breach Response Procedure in minutes
Customised with your business name, address, and details. Legally referenced. Ready to print and file.