01622 632 918
Commercial & Industrial HVAC Hire

Data Breach Policy

Rev E

View the policy here

Background

The UK General Data Protection Regulation (GDPR) is based on six principles of handling personal data. We must comply with all six principles as a business; otherwise, we will be in breach of the UK GDPR. The principles give people specific rights in relation to their personal information and place obligations on organisations responsible for processing it.

Aim

The UK GDPR requires that we take appropriate measures against unauthorised or unlawful processing and accidental loss, destruction or damage to personal data.

This policy sets out how we deal with a data security breach.

What is a personal data breach?

A personal data breach is a security incident affecting the confidentiality, integrity or availability of personal data.

A breach occurs whenever personal data is:

  • Lost
  • Destroyed
  • Corrupted
  • Disclosed without authorisation
  • Accessed without authority
  • Made unavailable with significant negative impact

Action to be taken in the event of a data breach

1. Containment and Recovery

Immediate priorities:

  • Contain the breach
  • Assess potential consequences
  • Limit the scope

Staff must immediately inform Kelly McNulty.

If Kelly McNulty is absent, Terry Stevens-Smith will lead the investigation.

If data is sent to someone unauthorised:

  • Inform recipient not to pass it on
  • Instruct deletion/destruction
  • Obtain written confirmation
  • Explain implications of further disclosure
  • Inform affected individuals where relevant

2. Assessing the Risk

Key questions:

  • What type of data is involved?
  • How sensitive is it?
  • Was encryption in place?
  • What happened to the data?
  • How many individuals are affected?
  • Who are they (staff, customers, suppliers)?
  • What harm could arise (financial, reputational, safety)?
  • Are there wider consequences (public health, confidence)?
  • Can damage be mitigated?

3. Notifying the ICO and Individuals

Responsible Person

Kelly McNulty is the ICO and staff contact.

When to Notify ICO

If the breach poses a likely risk to individuals’ rights and freedoms, it must be reported.

If not reported, justification must be documented.

Timeframe

Report within 72 hours of awareness.

If delayed, reasons must be documented.

Information Provided to ICO

  • Nature of breach
  • Categories and approximate number of individuals affected
  • Categories and approximate number of records
  • Contact details:
    Ideal Heat Solutions Ltd
    Sir Thomas Longley Road
    Medway City Estate
    Rochester, Kent ME2 4DU
    01622 933 847
    hire@idealheatsolutions.co.uk
  • Likely consequences
  • Measures taken or proposed

Notification to Individuals

If high risk exists, affected individuals will be informed promptly.

Notification includes:

  • Contact details
  • Likely consequences
  • Mitigation steps

Notification is not required if:

  • Technical protection (e.g., encryption) was in place
  • Subsequent measures removed high risk

Third Parties

Police, insurers, banks or professional bodies may be informed if necessary.

Documentation

All breaches and decisions must be documented, whether reported or not.

Evaluation

After any breach:

Provide further training where necessary

Investigate cause

Implement remedial action

Review security weaknesses

Improve processes