A data breach happens when an individual’s personal information is lost by an organisation or is subjected to unauthorised access. 

There are many different scenarios in which a data breach can occur. They could be: 

  • If your customers’ personal information is stored on a device, and this device goes missing or gets stolen
  • If you have a database with your customer’s information that gets hacked
  • If personal information accidentally gets given or relayed to the wrong person

It is important to have a clear understanding of your regulatory responsibilities to make sure that you fulfil your obligations to the individuals you’ve collected data from. 

What Is A Data Breach Response Plan? 

A Data Breach Response Plan is a framework setting out the roles and responsibilities that need to be taken to manage a data breach if one were to occur. 

A business’ Data Breach Response Plan needs to be a comprehensive plan in writing that ensures all staff are aware of their roles in the case of a data breach. 

Your Data Breach Response Plan should be easily accessible to all your staff so that it can be retrieved on short notice. 

The ICO recommends that Data Breach Response Plans should be tested regularly to ensure that they are up-to-date and effective. How regularly testing should be conducted is based on various factors such as: 

  • The size of your business 
  • The nature of your business 
  • The extent to which an individual will be affected if a breach was to occur
  • The nature of the information you collect (i.e. how sensitive is it?)  

Why Do I Need A Data Breach Response Plan? 

It’s recommended that you have a Data Breach Response Plan to make sure your business can respond to any breaches in a timely manner. 

A quick response will be important in decreasing the impact of a breach on individuals, reducing the cost of handling the breach, and minimising the potential for the breach to ruin your goodwill and reputation.

Responding to data breaches in a quick and efficient manner also lets your clients know that your business takes privacy seriously.

What’s In A Data Breach Response Plan?

Your Data Breach Response Plan should address: 

  • What is considered a data breach: Different businesses may have different definitions of what constitutes a breach. Your plan should also include potential examples, based on the nature of your business. 
  • Strategies for containing, assessing and managing the data breach: The plan should include actions for your staff, address requirements under law (e.g. notice to the relevant supervisory authority) and outline a standard and clear way of communicating with those adversely affected. 
  • Documents: You should detail your methods of recording incidents, as this will help demonstrate how your business remains compliant with your GDPR obligations.
  • Review: This is to evaluate the response post-breach and to improve processes. 

The ICO has a sample checklist that is useful in formulating your own Response Plan. 

Need Help?

Putting together a Data Breach Response Plan can seem like a daunting task, but it is crucial for businesses to have one. 

Responding in the most efficient manner is important to maintain trust in your business, and to ensure the effect of the breach is contained. 

Get in touch with us at [email protected] if you have any questions regarding Response Plans or your data privacy obligations.

About Sprintlaw

Sprintlaw's expert lawyers make legal services affordable and accessible for business owners. We're an award-winning, online law firm for small businesses in the UK.

5.0
(based on Google Reviews)
Do you need legal help?
Get in touch now!

We'll get back to you within 1 business day.

  • This field is for validation purposes and should be left unchanged.

Related Articles
How Do I Protect Customer Data?
Do I Have A Right To Be Forgotten?