Guide: Personal Data Breach Policy

A policy is a statement of management’s intent, and is usually supported by a more detailed procedure or protocol. It’s good practice to have a policy that covers your organisation’s responses to incidents, especially those that could lead to breaches of the GDPR. The following is a suggestion towards compiling your own policy.

Personal Data Breach Policy

Introduction (some call this the Policy Statement)

Describe that fact that your organisation collects, processes and retains personal data and that every care must be taken to protect that personal data.

A personal data breach, if not addressed appropriately and timeously, could result in physical, material or non-material damage to people; such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage.

Purpose and Scope

GDPR has a requirement for our organisation to have a suitable data security framework in place. This policy is an essential part of that framework and sets out the procedure to be followed that ensures a consistent and effective response to a security incident. The objective of this policy is to respond to the incident, contain any breaches, to minimise the risk associated with the breach and consider what action is necessary to secure personal data and prevent further breaches. The policy applies to all employees, contractors and other stakeholders who might have access to or be responsible for the collection and processing of personal data.


A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

An incident that could lead to a data breach could include:

loss or theft of confidential or sensitive data or equipment on which such data is stored (e.g. loss of laptop, USB stick, iPad / tablet device, or paper record);

equipment theft or failure;

system failure;

unauthorised use of, access to or modification of data or information systems;

attempts (failed or successful) to gain unauthorised access to information or IT system(s);

unauthorised disclosure of sensitive / confidential data;

website defacement;

hacking attack;

unforeseen circumstances such as a fire or flood;

human error;

Reporting an incident

Provide the contact details of people in the organisation who are responsible for initiating and managing the response to incidents. What if an incident occurs outside normal operating hours? Encourage people to record as much detail as possible. Does the lack of reporting incur any potential disciplinary action?

Containment and recovery

Explain who the first responder is and what it is he or she must do e.g. to determine if the incident is still occurring and, if so, that steps will be taken to minimise the effects of the incident. Describe the process that follows – i.e. the initial assessment to establish severity; what can be done to limit damages or recover losses; who may need to be notified in terms of the initial containment; any involvement of law enforcement; the course of action to be followed etc.

Investigation and risk assessment

(Actual details should be located in your breach procedure document)

Who will take the lead in any investigation? How soon should the investigation start? How will risks be assessed and impact measured? What must be taken into account – e.g. the kind of data involved; the data subjects affected and the effect of the incident on them; what can data subjects do to minimise impact? where did it occur – internally, or at a processor perhaps? etc.


(Actual details should be located in your breach procedure document)

Your policy should highlight that it may not be necessary to inform your supervisory authority but if you do, that it must be done within 72 hours of becoming aware of the breach – unless you can explain why it might not be possible to do so within 72 hours. Make people aware that law enforcement may prevent you from informing data subjects. Is there anything data subjects must do to minimise the impact? When you inform data subjects, do so timeously and in simple but specific language. You must consider whether it’s necessary to inform other stakeholders – insurers, banks, credit card agents, trade unions etc. State the fact that a record must be kept of every incident/breach regardless of whether notification was required.

Evaluation and response

Who will carry out a full review of the causes, the effectiveness of the response and the impact on existing systems and/or procedures? Who will review existing controls to determine whether any optimisation is necessary?  Who will determine if any training and awareness is necessary?

Policy review

When your policy was last reviewed and approved.

The content herein is provided for your convenience and does not constitute legal advice.

Compliance Technology Solutions B.V. 2018

Russell is the author of this solution article.

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.