Register
Forgotten password?

Personal data breach notification policy

This is a personal data breach notification policy, which sets out the procedures to be followed by a business in the event that personal data stored or processed by the business is subject to a breach. The policy has been created with SMEs in mind.

The policy is designed to aid compliance with the General Data Protection Regulation or GDPR, and takes account of the Article 29 Data Protection Working Party's guidance on personal data breach notifications.

As the Working Party state in that guidance, "controllers and processors are ... encouraged to plan in advance and put in place processes to be able to detect and properly contain a breach, to assess the risk to individuals, and then to determine whether it is necessary to notify the competent supervisory authority, and to communicate the breach to the individuals concerned when necessary".

A formal personal data breach notification procedures is recommended by the Working Party: "To aid compliance with Articles 33 and 34, it would be advantageous to both controllers and processors to have a documented notification procedure in place, setting out the process to follow once a breach has been detected, including how to contain, manage and recover the incident, as well as assessing risk, and notifying the breach".

"Personal data breach" under the GDPR covers more than just the unauthorised disclosure of personal information. The phrase is defined as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed by the company".

The policy covers three different types of notification: (i) notifications by a data controller to a supervisory authority, such as the Information Commissioner's Office in the UK; (ii) notifications by a data processor to the data controller whose data is the subject of the breach; and (iii) notifications by a data controller to data subjects, ie human beings. Three schedules to the policy contain notification forms, one for each type of notification.

Whilst the policy does cover incident detection and response in summary form, it is primarily concerned with notification, and larger organisations at least should combine this document with more detailed policies covering detection and response. Moreover, the policy focuses upon personal data breaches, not information security incidents generally.

The policy is not designed for use in relation to any non-GDPR data breach notification rules and - if any other such rules apply to the relevant business - the policy would need to be adapted accordingly before use.

Ask about this document

Personal data breach notification policy contents

  1. Introduction: purpose of personal data breach notification policy; approach to personal data breaches .
  2. Definitions: definitions (appointed person, data breach).
  3. Detection of personal data breaches: technological measures to detect personal data breaches; organisational measures to detect personal data breaches; regular review of measures to detect personal data breaches.
  4. Responding to personal data breaches: personnel to notify appointed person upon personal data breach; role of appointed person regarding personal data breaches; cooperation with appointed person; appointed person to determine role of 
    company
     where personal data breach; steps to be taken when responding to a personal data breach;
    Company
     to keep record of response to personal data breach.
  5. Notification to supervisory authority: section applies where 
    company
     is data controller; obligation to notify supervisory authority of personal data breach; procedure for notification of personal data breach to supervisory authority; exception to obligation to notify supervisory authority of personal data breach; additional information to be provided to supervisory authority; changes in facts relating to personal data breach to be notified to supervisory authority.
  6. Notification to data controller: section applies where 
    company
     is data processor; obligation to notify data controller of personal data breach; procedure for notification of personal data breach to data controller; additional information to be provided to data controller.
  7. Notification to data subjects: section applies where 
    company
     is data controller; data subject notifications in consultation with supervisory authority; obligation to notify data subjects of personal data breach; procedure for notification of personal data breach to data subjects; exception to obligation to notify data subjects of personal data breach; discretionary notification of personal data breach to data subjects.
  8. Other notifications: notification of personal data breach to other persons.
  9. Reviewing and updating 
    this policy
    :
    persons responsible for reviewing and updating 
    policy
    ; annual review of 
    policy
    ; ad hoc review of 
    policy
    ; matters to be considered during review of 
    policy
    .

Schedule 1 (Notification of personal data breach to supervisory authority)

  1. Introduction: identification of person giving personal data breach notification.
  2. Description of personal data breach: prompt for general description of personal data breach:.
  3. Categories of data subject affected: prompt for categories of data subject affected.
  4. Number of data subjects affected: number of data subjects affected.
  5. Categories of personal data concerned: prompt for categories of personal data concerned.
  6. Number of records concerned: prompt for number of records concerned.
  7. Likely consequences of breach: prompt for likely consequences of personal data breach.
  8. Measures taken to address breach: prompt for measures taken to address breach.
  9. Has breach been notified to data subjects?: details of whether data breach notified to data subjects.
  10. Late report of breach: Prompt for reasons for late report by controller of personal data breach.
  11. Contact details: contact details for personal data breach.

Schedule 2 (Notification of personal data breach to data controller)

  1. Introduction: identification of person giving personal data breach notification.
  2. Description of personal data breach: prompt for general description of personal data breach:.
  3. Categories of data subject affected: prompt for categories of data subject affected.
  4. Number of data subjects affected: number of data subjects affected.
  5. Categories of personal data concerned: prompt for categories of personal data concerned.
  6. Number of records concerned: prompt for number of records concerned.
  7. Likely consequences of breach: prompt for likely consequences of personal data breach.
  8. Measures taken to address breach: prompt for measures taken to address breach.
  9. Contact details: contact details for personal data breach.

Schedule 3 (Notification of personal data breach to data subject)

  1. Introduction: identification of person giving personal data breach notification.
  2. Description of personal data breach: prompt for general description of personal data breach:.
  3. Categories of personal data concerned: prompt for categories of personal data concerned.
  4. Likely consequences of breach: prompt for likely consequences of personal data breach.
  5. Measures taken to address breach: prompt for measures taken to address breach.
  6. Steps to mitigate breach: prompt for steps data subject may take to mitigate personal data breach.
  7. Contact details: contact details for personal data breach.
Personal data breach notification policy document editor previewPersonal data breach notification policy document editor previewPersonal data breach notification policy document editor previewPersonal data breach notification policy document editor preview
This is a shortened preview of the editor interface; once you create your instance you'll be able to edit the full document in our online editor.
Personal data breach notification policy document previewPersonal data breach notification policy document previewPersonal data breach notification policy document previewPersonal data breach notification policy document preview
This is a shortened preview of the DOCX output; once you create your instance you'll be able to download the full document in PDF, HTML, RTF and/or DOCX (Microsoft Word) format.