| 01530 412750 | 07377 137309    

GDPR Data Breach Policy



Please act promptly to report any data breaches. If you discover a data breach, please notify your Line Manager immediately, complete Section 1 of this form and email it to the Data Protection Officer where appropriate (call 01530 566750 to obtain private email address).
Section 1: Notification of Data Security Breach
To be completed by Line Manager of person reporting incident
Date incident was discovered:
Date(s) of incident:
Place of incident:
Name of person reporting incident:
Contact details of person reporting incident (email address, telephone number):
Brief description of incident or details of the information lost:
Number of Data Subjects affected, if known:
Has any personal data been placed at risk? If, so please provide details: Brief description of any action taken at the time of discovery:
For use by the Data Protection Officer
Received by:
On (date):
Forwarded for action to:
On (date):
Section 2: Assessment of Severity
To be completed by the Lead Investigation Officer in consultation with the Manager of the department affected
Details of the IT systems, equipment, devices, records involved in the security breach:
Details of information loss:
What is the nature of the information lost?
How much data has been lost?
If laptop lost/stolen: how recently was the laptop backed up onto central IT systems?
Is the information unique?
Will its loss have adverse operational, research, financial legal, liability or reputational consequences for the company or third parties?
How many data subjects are affected?
Is the data bound by any contractual security arrangements?
What is the nature of the sensitivity of the data?
Please provide details of any types of information that fall into any of the following categories:
HIGH RISK personal data
• Sensitive personal data (as defined in the Data Protection Act) relating to a living, identifiable individual’s a) racial or ethnic origin; b) political opinions or religious or philosophical beliefs; c) membership of a trade union; d) physical or mental health or condition or sexual life; e) commission or alleged commission of any offence, or f) proceedings for an offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings.
• Information that could be used to commit identity fraud such as; personal bank account and other financial information; national identifiers, such as National Insurance Number and copies of passports and visas;
• Personal information relating to vulnerable adults and children;
• Detailed profiles of individuals including information about work performance, salaries or personal life that would cause significant damage or distress to that person if disclosed;
• Spreadsheets of marks or grades obtained by students, information about individual cases of student discipline or sensitive negotiations which could adversely affect individuals.
• Security information that would compromise the safety of individuals if disclosed.
Data Protection Officer and/or Lead Investigation Officer to consider whether it should be escalated to the appropriate body
Section 3: Action taken To be completed by Data Protection Officer and/or Lead Investigation Officer
Incident number e.g. year/001
Report received by:
On (date):
Action taken by responsible officer/s:
Was incident reported to Police? Yes/No
If YES, notified on (date): Follow up action required/recommended:
Reported to Data Protection Officer and Lead Officer on (date):
Reported to other internal stakeholders (details, dates):
For use of Data Protection Officer and/or Lead Officer:
Notification to ICO YES/NO If YES, notified on: Details:
Notification to data subjects YES/NO If YES, notified on:
Details: Notification to other external, regulator/stakeholder YES/NO
If YES, notified on: Details:
ClubsComplete Ltd: Last modified 9th May 2018