Last updated: May 2026
| Reporting a concern about your data If you believe your personal data has been compromised by Sparkline Advisory Ltd, please contact us immediately at [email protected]. We aim to acknowledge all reports within 24 hours and will keep you informed throughout our response. |
Purpose and scope
This policy sets out how Sparkline Advisory Ltd identifies, assesses, manages, and reports personal data breaches. It serves two purposes: it explains our internal response procedures, and it provides transparency to clients, website visitors, and other individuals about how we handle breaches that may affect them.
This policy applies to all personal data processed by Sparkline Advisory Ltd, whether held electronically or in physical form, and to any contractors or subcontractors who process personal data on our behalf.
We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Our data protection contact is Martha Horler, Director. All data protection queries and breach reports should be directed to [email protected].
What is a personal data breach
A personal data breach is any incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to personal data. Breaches can affect confidentiality, integrity, or availability of data.
| Type of breach | Examples |
| Confidentiality breach | Sending personal data to the wrong recipient; unauthorised access to a file or system; sharing data without authority. |
| Integrity breach | Accidental or malicious alteration of personal data; corruption of a database. |
| Availability breach | Accidental deletion of personal data without backup; loss or theft of a device containing personal data; ransomware locking access to data. |
Not every security incident is a reportable breach. A breach that is unlikely to result in any risk to individuals’ rights and freedoms does not need to be reported to the ICO, although it must still be documented internally.
How to report a breach to us
If you are a client, website visitor, or other individual
If you believe that personal data we hold about you has been compromised, or if you have reason to believe a breach may have occurred, please contact us as soon as possible:
• Email: [email protected]
• Post: Piccadilly Business Centre, Unit C, Aldow Enterprise Park, Blackett Street, Manchester, M12 6AE
Please include as much detail as you can: what happened, when you became aware of it, what data you think may be affected, and any steps you have already taken. We will acknowledge your report within 24 hours and keep you informed of our response.
Internal reporting
Any contractor or subcontractor working on behalf of Sparkline Advisory Ltd who becomes aware of, or suspects, a data breach must report it to Martha Horler immediately and without delay. Do not wait to gather all the facts before reporting – speed is critical. Contact: [email protected].
Please provide as much of the following as you can at the point of initial report:
• A description of what happened.
• The date and time the incident occurred or was discovered.
• The types of personal data involved.
• The approximate number of individuals potentially affected.
• Any steps already taken to contain the incident.
Our response process
On becoming aware of a potential breach, we follow a structured response. Given that we are a small organisation, these steps are carried out by Martha Horler as data protection contact, with external support sought where necessary.
| Step | Action | Detail |
| 1 | Contain | Take immediate steps to stop or limit the breach. This may include revoking access, recovering misdirected data, or isolating affected systems. The priority is to prevent further loss or exposure. |
| 2 | Assess | Evaluate the nature, scope, and likely impact of the breach. Identify what data is involved, how many individuals are affected, and what the risk to those individuals’ rights and freedoms may be. |
| 3 | Notify the ICO | If the breach is likely to result in a risk to individuals’ rights and freedoms, notify the ICO within 72 hours of becoming aware of it. If notification is not possible within 72 hours, it will be submitted as soon as possible with a documented explanation for the delay. |
| 4 | Notify individuals | If the breach is likely to result in a high risk to individuals’ rights and freedoms, notify those individuals directly without undue delay. Notifications will be clear, plain-language, and include advice on steps individuals can take to protect themselves. |
| 5 | Document | Record full details of the breach in our Data Breach Log, regardless of severity or whether ICO notification was required (see below). |
| 6 | Review | Once the immediate response is complete, review the cause of the breach and implement measures to prevent recurrence. |
ICO notification
| 72-hour rule Where a breach is likely to result in a risk to individuals’ rights and freedoms, we must notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of it. This clock starts from the moment we become aware – not from when the breach occurred. |
Our ICO notification will include:
- The nature of the breach, including categories and approximate number of individuals and records affected.
- The name and contact details of our data protection contact.
- The likely consequences of the breach.
- The measures taken or proposed to address the breach and mitigate its effects.
Where it is not possible to provide all of this information within 72 hours, we will provide what we can and follow up with the remainder as soon as possible, with a documented explanation for the phased approach.
Not all breaches need to be reported to the ICO. A breach that is unlikely to result in any risk to individuals’ rights and freedoms – for example, where encrypted data is lost on a device with no realistic possibility of decryption – does not trigger the ICO notification requirement. However, it must still be recorded in the Data Breach Log.
Notifying affected individuals
Where a breach is likely to result in a high risk to the rights and freedoms of individuals, we will notify those individuals directly and without undue delay. This is a higher threshold than the ICO notification test – not every breach that is reported to the ICO will also require individual notification.
Factors we consider when assessing whether individual notification is required include:
- The sensitivity of the personal data involved.
- The number of individuals affected.
- The likelihood that the breach will result in identity theft, financial loss, discrimination, reputational damage, or other significant harm.
- Whether the data has been accessed by or disclosed to an unauthorised third party.
Where individual notification is required, we will contact affected individuals in plain language, explain what happened and what data was involved, and provide clear guidance on steps they can take to protect themselves.
Data breach log
All personal data breaches, regardless of severity or whether ICO notification was required, are recorded in our Data Breach Log. This is a requirement of UK GDPR (Article 33(5)) and forms part of our accountability obligations.
Our Data Breach Log records:
- The date and time the breach occurred and when we became aware of it.
- A description of the nature of the breach.
- The categories and approximate number of individuals and records affected.
- The likely consequences of the breach.
- The steps taken to contain, mitigate, and respond to the breach.
- Whether ICO notification was made, and if so when, or the reasons why notification was not required.
- Whether affected individuals were notified, and if so when and how.
- Lessons learned and any changes made to prevent recurrence.
The Data Breach Log is maintained by Martha Horler and is available for inspection by the ICO on request.
Responsibilities
Martha Horler – Director and data protection contact
- Receive and triage all breach reports.
- Lead the breach assessment and response.
- Decide whether ICO notification is required and submit within 72 hours where applicable.
- Decide whether individual notification is required and manage that communication.
- Maintain the Data Breach Log.
- Review the cause of breaches and implement preventive measures.
Contractors and subcontractors
- Report any actual or suspected breach to Martha Horler immediately and without delay.
- Co-operate fully with the breach response, including providing information and assisting with containment.
- Not disclose details of a breach to third parties without authorisation from Martha Horler.
- Comply with data protection obligations set out in any contract or data processing agreement with Sparkline Advisory Ltd.
Breaches by our processors
Where a personal data breach occurs at one of our third-party processors – for example a hosting provider, email platform, or payment processor – they are required to notify us without undue delay so that we can assess the impact and meet our own regulatory obligations.
Our contracts with processors include obligations to report breaches to us promptly. On receiving such a notification, we will assess the impact on personal data we have entrusted to that processor, and follow our response process above.
Review of this policy
This policy will be reviewed annually as a minimum, and immediately following any significant data breach or change in relevant law or guidance. The review date and any material changes will be reflected in the version date at the top of this document.
As a small organisation, formal staff training programmes are not applicable. However, any contractors or subcontractors engaged by Sparkline Advisory Ltd will be made aware of this policy and their obligations under it as part of their onboarding.
Contact and further information
For any questions about this policy, to report a concern, or to exercise your data protection rights, please contact:
- Organisation: Sparkline Advisory Ltd
- Company number: 17164009
- Data protection contact: [email protected]
- Postal address: Piccadilly Business Centre, Unit C, Aldow Enterprise Park, Blackett Street, Manchester, M12 6AE
If you are not satisfied with our response, you have the right to complain to the Information Commissioner’s Office (ICO):
- Website: ico.org.uk
- Telephone: 0303 123 1113
- Post: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF