Documents

GDPR Personal Data Breach Notification Procedure

This GDPR Personal Data Breach Notification Procedure is designed for Club Demo to ensure a systematic, compliant response to any potential security incident.

In the world of data protection, it’s not just about if a breach happens, but how fast and transparently you handle it.

1. Purpose and Scope

The goal of this policy is to ensure that Club Demo reacts consistently and effectively to personal data breaches, meeting the 72-hour notification requirement set by the GDPR. This applies to all employees, contractors, and third-party processors.

2. What Constitutes a Breach?

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data. Examples include:

  • Confidentiality Breach: Unauthorized disclosure (e.g., an email sent to the wrong member).
  • Availability Breach: Loss of access to data (e.g., a ransomware attack or permanent deletion).
  • Integrity Breach: Unauthorized alteration of data.

3. The 4-Step Response Procedure

Step 1: Identification and Internal Reporting

Any staff member who suspects a breach must report it immediately to the Data Protection Lead (DPL) or Management.

  • Do not attempt to fix the issue yourself before reporting.
  • Document the time of discovery and the nature of the event.

Step 2: Investigation and Risk Assessment

The DPL will lead an investigation to determine the severity. We use a risk-based approach to decide if notification is required.

Risk LevelImpact on IndividualsAction Required
LowUnlikely to result in a risk to rights/freedoms.Log internally; no notification.
MediumLikely to result in a risk (e.g., identity theft, loss of control).Notify Supervisory Authority within 72h.
HighHigh risk of significant harm (e.g., financial loss, reputation damage).Notify Authority AND affected individuals.

Step 3: Notification

If the breach is "likely to result in a risk," Club Demo must follow these protocols:

  1. To the Supervisory Authority (e.g., ICO): Must be done without undue delay and, where feasible, not later than 72 hours after becoming aware of it.
  2. To the Data Subject (The Individual): Must be done "without undue delay" if the risk is high. Communication must be in clear, plain language.

Step 4: Documentation and Evaluation

Regardless of whether a breach is reported to the authorities, Club Demo must record:

  • The facts surrounding the breach.
  • Its effects and the remedial action taken.
  • The reasoning behind why a breach was (or was not) reported.

4. Remediation and Prevention

Post-breach, Club Demo will conduct a "Lessons Learned" session to:

  • Identify the root cause (human error, system flaw, etc.).
  • Update security measures or staff training.
  • Review third-party processor contracts if they were involved.

Note: Under GDPR, failing to notify a breach can result in higher fines than the actual breach itself. Transparency is your best defense.

Print 🖨 PDF 📄

Related Posts

Learn to Bowl

Learn to Bowl video resource Bowls Australia https://youtu.be/kvmXcnQ1ogQ

Read More
Auckland Bowls

Auckland Bowls ‘Bowls Basics’ A great series of videos explaining the basics. […]

Read More
Bowls Theory of Everything

Bowls Theory of Everything – Richard Horner Richard shares his years of bowls […]

Read More
Matts Jacks and Balls

Youtube channel here: https://www.youtube.com/@mattsjacksandballs This video is probably one of the most […]

Read More
WIBA Coaching Tips and Techniques

The WIBA and WLIBA when making these videos set out to give […]

Read More

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *