← Back to Legal

Data Breach Procedure

Olive Branch Design Ltd · Effective from 2026

1. Purpose

This procedure explains how we identify, manage, and report personal data breaches in line with UK GDPR requirements.

2. What Counts as a Data Breach

A data breach includes any accidental or unlawful:

  • Loss of personal data
  • Theft of personal data
  • Unauthorised access
  • Mis-sending data to the wrong recipient
  • Unintended exposure of data
  • Accidental deletion of data

Examples relevant to our operations include:

  • Misconfigured website forms exposing submissions
  • A newsletter subscriber list being leaked
  • Stripe data being exposed
  • A lost or compromised device with admin access

3. Immediate Actions

Upon discovering a potential breach, we will:

  1. Contain — stop the breach from continuing or spreading
  2. Assess — determine the nature, scope, and likely impact
  3. Document — record all relevant details and actions taken

4. Reporting to the ICO

Where a breach is likely to result in a risk to individuals' rights and freedoms, we will report to the Information Commissioner's Office (ICO) within 72 hours of becoming aware.

Reports are submitted via the ICO website.

5. Informing Individuals

Where a breach is likely to result in a high risk to the rights and freedoms of individuals, we will notify those affected without undue delay.

6. Prevention Measures

We take the following steps to minimise the risk of breaches:

  • Strong passwords and password management
  • Two-factor authentication (2FA) on all accounts
  • Secure environment variables (never hardcoded)
  • Regular software and dependency updates
  • Minimal data storage practices

7. Record-Keeping

We maintain a breach log for all incidents, regardless of whether they require ICO notification. The breach log is retained for 6 years.

8. Review

This procedure is reviewed annually or after any breach incident.