Data Breach Reporting Policy

Purpose

The purpose of this policy is to outline the process for identifying, reporting, and managing data breaches to ensure compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This policy aims to minimize potential harm to individuals and the organization, ensure timely resolution, and comply with legal obligations.

Scope

This policy applies to all employees, contractors, and third-party service providers who process personal data on behalf of The Data Goddess (“We”, “Us”, “Our”). It covers all data breaches involving personal data, regardless of whether the data is stored electronically or in physical form.

What Constitutes a Data Breach?

A data breach is any incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. Examples include:

  • Sending personal data to an incorrect recipient.
  • Loss or theft of a device containing personal data.
  • Unauthorized access to a database or system.
  • Accidental deletion or alteration of personal data without proper backup.

Reporting a Data Breach

  1. Immediate Reporting:
    • Any individual who becomes aware of a data breach must report it immediately to the Data Protection Officer (DPO) at martha@thedatagoddess.com.
    • Include the following details in your report:
      • Description of the incident.
      • Date and time of the incident.
      • Types of data involved.
      • Number of individuals potentially affected.
      • Any actions already taken.
  2. Internal Notification:
    • The DPO will notify relevant stakeholders within the organization to initiate a coordinated response.

Assessing the Breach

The DPO will assess the severity and impact of the breach by:

  • Identifying the cause of the breach.
  • Evaluating the extent and sensitivity of the personal data involved.
  • Determining the potential impact on individuals and the organization.
  • Identifying whether the breach poses a risk to individuals’ rights and freedoms.

Mitigating the Breach

Upon assessment, the DPO will:

  • Contain the breach to prevent further data loss or unauthorized access.
  • Implement measures to secure affected systems or data.
  • Notify impacted individuals if required, providing clear guidance on steps they can take to protect themselves.

Notification to the ICO

If the breach poses a risk to individuals’ rights and freedoms, the DPO will notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach. The notification will include:

  • The nature of the breach.
  • Categories and approximate number of affected individuals.
  • Likely consequences of the breach.
  • Measures taken or proposed to address the breach.

Documentation

All data breaches, regardless of severity, will be documented in the Data Breach Log. The log will include:

  • Date and time of the breach.
  • Description of the incident.
  • Steps taken to mitigate the breach.
  • Outcome of the incident.
  • Lessons learned and future preventive measures.

Responsibilities

  • All Staff:
    • Report any data breach immediately.
    • Follow policies and procedures to minimize the risk of breaches.
  • Data Protection Officer:
    • Oversee breach assessments and responses.
    • Ensure compliance with legal requirements.
    • Maintain the Data Breach Log and report to the ICO when necessary.

Review and Training

This policy will be reviewed annually or after any significant data breach. Regular training will be provided to all staff to ensure awareness of data protection responsibilities and breach reporting procedures.

Contact Information

For questions or further clarification about this policy, please contact:

Effective Date

This policy is effective as of 5th January 2025.

Scroll to Top