Skip to content
Platform|Embed
ContactAboutNewsReviewsBook a demo
Support
Custom templatesCreate templates in DocueReady-made legal templates150+ lawyer-made UK templatesElectronic signatureEffortless signing in secondsDocue DriveSecure, intelligent contract managementEmbedded Legal EngineEmbed templates into your own softwareEmbedded Sign EngineEmbed signing into your own software
Legal Templates
HubSpotSalesforcePipedriveOther systems
Pricing
SearchLog inBook a demo
PlatformEmbed
HomeLegal TemplatesPricingContactAboutNewsReviews
Book a demo

Already have an account? Sign in

  1. Legal Hub
  2. Top 5 FAQs about data breach response plans
0 % read

Top 5 FAQs about data breach response plans

FAQ•Last updated 15 Oct 2024
Find out the answers to your burning questions about data breach response plans with our FAQs. Gain clarity on crucial aspects, from crafting effective strategies to implementing mitigating actions.

1. What is a data breach response policy?

A data breach response policy (also known as a data breach response plan or data breach policy) is an internal policy document that includes the processes and procedures to be followed by a business’s staff in order to identify, manage and mitigate data breaches. A data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of, or access to, personal data.

A data breach response plan can be a key tool in ensuring that the effects of a data breach are managed and minimised, and that data protection laws are complied with by staff in relation to the reporting of data breaches to the ICO and to individual data subjects affected by the breach.

Find out more about data breaches by reading this comprehensive guide.

2. What should be included in a data breach response plan?

  1. Identification - it is vital that staff are able to identify a data breach when it has occurred. A data breach response plan should include clear guidance to staff on how to identify a data breach, including examples of the types of incidents that amount to a data breach. If data breaches occur but are missed, there is a risk that your business does not comply with the requirements of data protection law when responding to that breach. Early identification is key to minimising the effect of a data breach too.

  2. Mitigation measures - the data breach response plan should include measures for mitigating the impact of a data breach. This can include processes to identify breaches early on, put in place additional security measures and liaise with third-party experts where required.

  3. Internal reporting - a clear escalation process should be set out in the data breach response plan so that staff know who to report data breaches to. A culture should be created at your business that allows staff to feel that they can report breaches to senior management without fearing the consequences.

  4. Notifications - certain types of breaches must be reported to the ICO and/or the individuals affected by the breach and this should be clearly set out in your data breach response plan. Failure to notify reportable breaches is a breach of data protection laws. Find out more about notification in question 3 below.

  5. Lessons learned - it is important to take remedial action after a data breach to ensure that a similar incident does not occur in the future. The investigation process should be set out in your data breach response plan. You can find out more about preventative actions that can be taken in question 4 below.

3. Who do I need to notify about a data breach?

Certain data breaches need to be reported to the Information Commissioner’s Office (ICO) and sometimes the affected individuals:

  1. ICO - you only have to notify the ICO of a personal data breach if it is likely to result in a risk to the rights and freedoms of individuals. You have to report a notifiable breach to the ICO without undue delay and within 72 hours of when you became aware of it. Failure to report a breach is this timeframe will be a breach of data protection laws; and

  2. Individuals - if a breach is likely to result in a high risk to the rights and freedoms of individuals, the UK GDPR says you must inform those concerned directly and without undue delay. A ‘high risk’ means the threshold for informing individuals is higher than for notifying the ICO.

4. Are any other steps required under the UK GDPR as part of a data breach response plan?

Yes - Article 33(5) of the UK GDPR requires you to document the facts regarding the breach, its effects and the remedial action taken. This is part of your overall obligation to comply with the accountability principle, and allows the ICO to verify your organisation’s compliance with its notification duties under the UK GDPR (in the case of reportable breaches). Find out more about how to record breaches in question 5 below.

In addition, it is important to carry out a thorough investigation into how the breach occurred, in order to prevent a similar breach in the future. This is particularly important where the breach has been caused by human error that could easily have been avoided. These types of preventative actions could include, for example, the following actions that are recommended by the ICO:

  • mandatory data protection induction and refresher training;

  • support and supervising until employees are proficient in their role;

  • updating policies and procedures (including your data breach response policy) to ensure it is comprehensive and clear enough for employees to feel able to report incidents or near misses;

  • working to a principle of “check twice, send once” when sending emails or other external communications;

  • implementing a culture of trust – employees should feel able to report incidents of near misses;

  • investigating the root causes of breaches and near misses; and

  • introducing measures to protect the personal data you are responsible for. This could include, for example: (i) restricting access and auditing systems, or (ii) implementing technical and organisational measures, e.g. disabling autofill.

5. How do I record a data breach?

Businesses should maintain a data breach register that details all actual or suspected data breaches. The data breach register / data breach log should include:

  • the facts surrounding the breach;

  • the effects of the breach; and

  • remedial action taken.

The ICO's template data breach log can be found here.

Sign up now to use Docue's data breach response plan template.

Author
Docue's Legal Team

Tags: data breach response plan, data breach response policy


Related articles

FAQ•Updated 15 Oct 2024
Top 5 FAQs about data protection procedures your business should have in place
Guide•Updated 15 Oct 2024
A comprehensive guide to data breaches (including a lawyer-drafted data breach policy template)

Related legal templates

Data Breach PolicyData Protection PolicyData Retention PolicyData Subject Request Policy

About Docue

Docue gives you access to 150+ automated legal templates for all important business situations. Templates are maintained by experienced UK lawyers to stay up-to-date with English and Welsh legislation.

Features

  • Custom templates
  • Ready-made legal templates
  • Electronic signature
  • Contract management

Service

  • Pricing
  • Reviews
  • Integrations
  • Legal Hub
  • Support

Company

  • About
  • Contact
  • News
  • Solutions
  • Reviews

Other

  • Log in
  • Data Security
  • Privacy Policy
  • Terms of Use
  • Data Processing Agreement

Support site

Instructions for using the service and answers to frequently asked questions: help.docue.com/en

Customer Service

For business customers: support@docue.com

4.5
(142)
Google LogoReviews on Google
ISO logo

ISO/IEC 27001 certified

© 2026 Docue

•
  • Facebook
  • Instagram
  • Twitter
  • LinkedIn
  • Youtube
Choose country