Data Breach Procedure
Effective from 2026 · Olive Branch Design Ltd
1. Purpose
This procedure explains how we identify, manage, and report personal data breaches in line with UK GDPR requirements.
2. What Counts as a Breach
A personal data breach includes any accidental or unlawful:
- Loss of data
- Theft of data
- Unauthorised access
- Accidental disclosure (mis-sending)
- Exposure of data
- Accidental deletion
Examples relevant to our services:
- Misconfigured website forms exposing submissions
- Newsletter subscriber list leak
- Stripe data exposure
- Lost device with admin access
3. Immediate Actions
Take immediate steps to limit the scope of the breach and prevent further data exposure.
Determine what data was affected, how many people are impacted, and the likely severity of harm.
Record the nature of the breach, the data involved, actions taken, and persons notified.
4. Reporting to the ICO
Where a breach is likely to result in a risk to individuals' rights and freedoms, we will report it to the ICO within 72 hours of becoming aware of it, via ico.org.uk.
5. Notifying Individuals
If a breach is likely to result in a high risk to the rights and freedoms of individuals, we will notify the affected individuals directly without undue delay.
6. Prevention Measures
We take the following preventative steps:
- Strong, unique passwords for all accounts
- Two-factor authentication (2FA) on all critical systems
- Secure environment variables (no credentials in code)
- Regular software and dependency updates
- Minimal data storage (data minimisation principle)
7. Record-Keeping
We maintain an internal breach log, retained for 6 years in line with our Data Retention Policy.
8. Review
This procedure is reviewed annually or following any breach incident.