Marketing Partners

Menu
Contact Us

Breach Management Policy

Effective Date: 02/01/2025
Version: 1.3
Review Date: annually

1. Purpose

This Breach Management Policy outlines the procedures Tyler Hampshire Ltd will follow in the event of a personal data breach, ensuring compliance with the UK General Data Protection Regulation (UK GDPR), Data Protection Act 2018, and other applicable privacy laws.

This policy supplements our existing Privacy Policy and ensures that any breaches are identified, contained, assessed, reported (where necessary), and remediated in a timely and effective manner.

2. Scope

This policy applies to all employees, contractors, and third-party processors handling personal data on behalf of Tyler Hampshire Ltd.

3. Definitions

  • Personal Data Breach: A security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
  • Data Subject: The individual whose personal data is processed.
  • ICO: Information Commissioner’s Office (UK data protection regulator).
  • DPO: Data Protection Officer (if applicable).

4. Roles & Responsibilities

  • Data Protection Officer (DPO): Oversees breach management, ensures compliance, and liaises with the ICO where required.
  • Senior Management: Approves breach response actions and ensures necessary resources are available.
  • Employees/Contractors: Must report suspected breaches immediately to the DPO or designated contact.

5. Breach Identification & Reporting

5.1 Detection & Initial Response

  • Any employee who suspects a breach must immediately notify the DPO (or designated contact) via dpo@tylerhampshire.uk.
  • The breach report should include:
    • Nature of the breach
    • Categories of data affected
    • Number of data subjects impacted
    • Likely consequences
    • Immediate containment actions taken

5.2 Assessment & Documentation

  • The DPO will assess:
    • Whether the breach poses a risk to individuals’ rights and freedoms.
    • Whether notification to the ICO or data subjects is required.
  • All breaches (whether reportable or not) must be documented in a Breach Register.

6. Breach Notification

6.1 Reporting to the ICO

  • If the breach is likely to result in a risk to individuals’ rights and freedoms, the ICO must be notified within 72 hours of discovery.
  • The notification must include:
    • Nature of the breach
    • Categories and approximate number of affected individuals
    • Contact details of the DPO
    • Likely consequences
    • Measures taken/proposed to mitigate the breach

6.2 Notifying Affected Individuals

  • If the breach is high-risk (e.g., financial loss, identity theft, discrimination), affected individuals must be informed without undue delay.
  • Notification should include:
    • Description of the breach
    • Potential impact
    • Steps taken to mitigate risks
    • Contact details for further queries

7. Containment & Recovery

  • Immediate actions may include:
    • Isolating affected systems
    • Resetting compromised credentials
    • Revoking unauthorised access
    • Engaging cybersecurity experts (if necessary)

8. Investigation & Root Cause Analysis

  • post-breach review must determine:
    • How the breach occurred
    • Whether policies/procedures were followed
    • Measures to prevent recurrence

9. Training & Awareness

  • Employees will receive regular training on data protection and breach reporting procedures.
  • Simulated breach exercises may be conducted to test readiness.

10. Policy Review

This policy will be reviewed annually or after a significant breach to ensure effectiveness.

11. Contact Information

For breach reporting or queries: