Data Breach Notification Policy

Effective Date: 4th April 2025
Last Updated: 4th April 2025

1. Introduction

At DPA Cloud Services Ltd, we take every reasonable measure to prevent data breaches — but we also recognise that no system is invulnerable. In the event that a personal data breach occurs, we have a clear policy in place to detect, contain, assess, notify, and remediate as swiftly and transparently as possible.

This policy sets out our approach to breach notification under the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018, and outlines how we will keep affected clients and regulatory authorities informed in the event of a breach.

2. What is a Personal Data Breach?

A personal data breach is any incident that results in:

  • Unauthorised access to personal data
  • Accidental or unlawful destruction, loss, alteration, or disclosure
  • Inaccessibility of data due to ransomware, system failure, or sabotage

This applies whether the data was stored electronically, physically, or in any other form.

3. Breach Detection & Initial Response

Our systems are actively monitored for signs of:

  • Unauthorised access or login attempts
  • Service or data anomalies
  • Abnormal file or network activity
  • Unusual authentication failures

Upon detection of a suspected breach:

  • The incident is immediately escalated to the internal Data Protection Officer (DPO) or a designated Security Lead
  • Relevant systems are isolated and preserved for forensic review
  • A risk assessment is carried out to evaluate the scope and impact of the incident

4. Notification to the ICO

If the breach is likely to result in a risk to the rights and freedoms of individuals (e.g., identity theft, financial loss, reputational damage), we will:

  • Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach
  • Include details of:
    • Nature and scope of the breach
    • Categories and volume of data affected
    • Measures taken to address the breach
    • Contact details for our DPO or security lead
    • Potential impacts on data subjects
    • Preventative actions and remediation steps

If we are unable to gather all the information within 72 hours, we will submit an initial notification and follow up with additional details as soon as possible.

ICO contact: https://ico.org.uk/for-organisations/report-a-breach/

5. Notification to Affected Clients / Data Subjects

If the breach is high risk to any individual or organisation whose data we process, we will:

  • Notify affected parties without undue delay
  • Use direct methods (e.g., email, ticket system, secure portal alert) where contact details are available
  • Explain:
    • What data was involved
    • How the breach occurred (to the extent possible)
    • What actions we have taken
    • What steps they should take (e.g., password reset, credit monitoring)
    • How to contact us with questions

Sender Address: [email protected] or your designated Account Manager.

6. Internal Record Keeping

All security incidents and breaches are:

  • Documented in a secure incident register
  • Categorised by severity, risk level, and affected systems
  • Reviewed quarterly to improve future resilience

Records include:

  • Breach timeline and impact
  • Individuals and entities involved
  • Notifications issued and dates
  • Corrective actions taken
  • Preventative measures implemented

We maintain these records regardless of whether the breach was notifiable to the ICO.

7. Staff Responsibilities

All staff, contractors, and partners are trained to:

  • Recognise potential breach indicators
  • Report concerns immediately to the Security Lead
  • Follow our internal Data Breach Response Plan

Failure to report or respond to a suspected breach may result in disciplinary or contractual action.

8. Review & Updates

This policy is reviewed annually, or immediately following any data breach incident or regulatory change.

Next scheduled review: April 2026
Last updated after: Initial Review

9. Contact

For questions about this policy, suspected incidents, or to report a concern: