Data Breach Policy Template

This data breach policy template is an internal policy for staff to revert to if they suspect or become aware of a personal data breach. Read more
Legislation GB-EAW
Topics Updated by a lawyer: 30 Apr 2024

What is this data breach policy template?

Importance: There are few things so dreaded in the world of business as a data breach. In recent years, headlines have been smothered in reports of hefty fines, broken consumer trust, and mismanagement of personal data – all thanks to a data breach. As you can imagine, a data breach policy is a particularly useful document to have in your portfolio to prevent and manage data breaches - without a data breach policy, the risk to your business of suffering a data breach that could damage your reputation (and lose the trust of customers) increases.

Internal document: This data breach policy template is an internal policy for staff to revert to if they suspect or become aware of a personal data breach.

What is a data breach? Under UK data protection law, a personal data breach is defined widely and is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. It doesn't matter if the data has been impacted maliciously or accidentally. For example, a data breach could include:

  • access by an unauthorised third party;
  • deliberate or accidental action (or inaction) by a controller or processor;
  • sending personal data to an incorrect recipient;
  • computing devices containing personal data being lost or stolen;
  • alteration of personal data without permission; and
  • loss of availability of personal data.

Find out more about data breach policies by reading this comprehensive guide.

Why does my business need to use this data breach policy template?

Clear rules for staff: Regardless of how the breach occurs, you should use this document to set out the rules under data protection law to instruct your staff on what to do, step by step. For example, your company has 72 hours to inform the ICO of an actual or suspected data breach where the data breach could result in a likely risk to the rights and freedom of individuals, so your staff will need to know what information to provide, how, where and who to provide it to.

Risk Mitigation: Data breaches can result in significant financial and reputational damage to your business. A data breach policy helps you establish a framework to prevent, detect, and respond to data breaches effectively and in compliance with data protection laws. The data breach policy template also sets out the best practices your staff should follow to minimise the risk and impact of data breaches.

Assumptions: This data breach policy template assumes that your company collects and processes personal data, and that your company has an IT/tech or other dedicated team/member of staff (for example, a DPO) in place to deal with and take leadership for resolving data breaches. This data breach policy template also assumes that English law applies.

Use this handy checklist to help you prepare for and manage data breaches.

What does Docue’s data breach policy template include?

Key provisions: Using Docue’s dynamic data breach policy template, you can create a comprehensive data breach policy in no time which can include:

  1. Background information: details about the business the policy relates to and who is responsible for privacy at the business;
  2. What is a data breach: information to enable staff to identify data breaches, including examples of what could constitute a data breach;
  3. What the staff should do if they suspect there has been a data breach: including details of who to notify of the breach, and what information needs to be included in that notification;
  4. What the business will do in the event of a data breach including:
  • Containment: taking mitigating steps to stop or minimise further loss, destruction or unauthorised disclosure of personal data.
  • Recovery: identifying ways to recover, correct or delete data.
  • Notification: assessing who needs to be notified of the breach. This could include the ICO, data subjects and law enforcement officials.
  • Recording the breach: all data breaches (whether or not notified to the ICO) should be recorded on a data breach register.
  1. Preventing future breaches: the action to be taken to prevent further breaches, including staff training and security measures; and
  2. Contact details: a nominated contact that the reader can contact if they have questions or queries about the policy.

Data breach policy template that adapts to your needs

Created by lawyers: Docue’s data breach policy template is lawyer-made, lawyer-maintained, and has lawyer-crafted guidelines to steer you through every stage of drafting your document. This means that the data breach policy template is kept up to date with ever-changing data protection laws.

Easy to use: To create your data breach policy with confidence and speed, simply click through the intelligent tick box options and text box answers and you’ll have a comprehensive, tailored, and ready-to-use data breach policy in no time. And don't worry - if you get stuck along the way, our lawyer-drafted guidance notes are there to guide you through the document creation process.

Tags: data breach policy, personal data breach, data breach policy template, data breach response policy, breach notification policy

Legislation GB-EAW
Topics Updated by a lawyer: 30 Apr 2024

Docue gives you access to 130+ high-quality legal templates drafted and maintained by UK lawyers. Trusted by 40,000+ companies.

"We needed an instant fix for writing contracts and looked around at alternatives, but Docue was superior. Easy to engage with and a wide range of templates."

Darrell Arnold

Founder & CEO, Servicedek

"Docue gave us professional contracts that we know are legally written, and cover us in a way that's easy for a non-expert to understand."

Andrew Cowen

Chief Commercial Officer, Komerz