Data Breach Response Plan

Under UK GDPR, certain personal data breaches must be reported to the ICO within 72 hours of becoming aware of them, and individuals must be notified in some cases. 72 hours is not a lot of time to work out what happened, what data was affected, who was responsible, and what to say.

Why a breach response plan needs to exist before the breach

A breach response plan, prepared in advance, is what makes the 72-hour timeline achievable. The plan addresses: how breaches are escalated internally; who decides whether the threshold for notification is met; what the notification says; how affected individuals are communicated with; and what evidence is preserved for later analysis.

Without a plan, organisations consistently miss the deadline or notify badly under pressure. With one, the first three days of an incident are about execution rather than improvisation.

The plan is a practical document designed to be used under pressure, not a theoretical policy that sits in a drawer.

Example: a typical scope and fixed fee

For a UK business needing a working incident response capability, the typical scope looks like this.

What's included

• A consultation to understand your business, data processing, and incident management processes
• A bespoke data breach response plan covering identification, containment, assessment, notification to the ICO, notification to affected individuals, and post-breach review
• Template breach notification letters (to the ICO and to individuals)
• A breach log template for recording incidents

What's outside this scope

• Handling a data breach (I can provide urgent support on request)
• Regulatory investigations by the ICO
• Tax advice

Fixed fee: £450, no VAT.

How I will approach your matter

Once you have instructed me, I will arrange a consultation to understand your business, data processing, and incident management processes before drafting a practical, tailored plan with template notification letters and a breach log. You will be prepared if the worst happens.