top of page
4WCC Logo.png

Data Breach Policy

Purpose and Scope: This Data Breach Policy outlines the procedure for responding to any actual or suspected personal data breach at 4 Woods Carpentry and Construction Limited ("the Company"). It is designed to ensure we detect, investigate, risk-assess, and record any such breaches, and where appropriate, notify authorities or individuals as required by the UK GDPR and Data Protection Act 2018. Having effective processes in place helps us protect individuals from harm and protect the Company from legal and reputational damage. A "personal data breach" is any security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This policy applies to all personal data processed by the Company, in electronic or physical form, and to all employees, subcontractors, or others who handle personal data on our behalf.

 

Reporting a Suspected Breach:

  • Immediate Reporting: All staff, contractors, or any third party who discovers or suspects that a data breach has occurred must immediately report it to the designated Data Protection Officer (DPO) or, if no DPO is appointed, to [Name/Role, e.g., the Managing Director or IT Manager] who is responsible for data protection. Time is of the essence – any delay can exacerbate harm. Reports should ideally be made within the same working day of discovery, via our breach reporting email [e.g., breach@4woodscarpentry.co.uk] or by phone for urgent cases.

  • Information to Provide: The person reporting should provide as much detail as possible, including: what happened (and how it was discovered), when it happened (date and time, if known), what data might be affected (whose data and what types of personal data), how many individuals potentially impacted, and what steps (if any) have been taken so far to contain it. If not all information is available initially, do not delay reporting – an initial report with known facts is enough to start.

  • No Blame Culture: Breaches often result from human error. Our priority is prompt reporting and damage mitigation, not assigning blame. Employees should feel safe to report mistakes or incidents without fear of punishment (unless there was wilful misconduct). All reports will be handled confidentially and investigated objectively.

  • Internal Escalation: The DPO (or responsible manager) upon receiving a report will log the incident in the Data Breach Register and immediately escalate significant breaches to senior management (and IT/security personnel if relevant). "Significant breaches" include those involving sensitive personal data, large volumes of data, external exposure, or risk of harm to individuals.

 

Containment and Initial Assessment:

  • Activate Response Team: The DPO or manager will convene an incident response team appropriate to the breach. This may include: IT personnel (if it's an electronic data issue), the relevant department manager, HR (if employee data is involved), and others as needed. One person will be assigned as Incident Lead to coordinate actions and communication.

  • Stop the Bleeding: First priority is to contain the breach and limit further unauthorised access or loss of data:

    • If the breach involves compromised systems (e.g., a hacking, malware infection), IT will isolate affected systems by disconnecting from the network, changing access credentials, and applying patches or firewall blocks as needed.

    • If it's a lost or stolen device (laptop, USB, smartphone), attempt to remotely wipe the device and inform the police if theft is suspected. Change passwords for accounts that were accessible from that device.

    • If an email was sent to the wrong recipient, attempt to contact the recipient and request deletion of the email (and any attachments) and obtain written confirmation. If possible (e.g., internal mis-send), recall the email or have IT delete it from the recipient's inbox.

    • Secure any physical areas related to the breach (lock cabinets, retrieve files left out, etc.). If papers or files are missing, determine the last known location and try to retrieve them.

  • Preserve Evidence: Do not destroy evidence that could be useful in investigating the cause or extent. This may include making copies of server logs, keeping an offending phishing email, preserving video footage, etc. Document all containment steps taken, noting the date and time.

  • Initial Classification: The response team will make an initial assessment: What category of data is involved? Highly sensitive (financial details, passwords, health info) or low sensitivity (e.g., business contact info)? How many individuals' data are involved (one or many)? Is the breach ongoing or now contained? This guides urgency and next steps.

 

Risk Assessment:

After immediate containment, the team will conduct a thorough risk evaluation:

  • Scope of Impact: Determine exactly what personal data has been breached. List the data fields (e.g., names, addresses, financial info, etc.) and the number of records/subjects. Identify categories of affected individuals (customers, employees, etc.).

  • Consequences for Individuals: Assess potential harm to data subjects:

    • Could they suffer identity theft or fraud (e.g., if financial or identity info leaked)?

    • Could they face physical harm or embarrassment (e.g., sensitive health or personal details exposure)?

    • Could the breach lead to discrimination or reputational damage for them?

    • If passwords were exposed, are they hashed or plaintext? Could accounts be misused?

  • Severity Likelihood: For each potential consequence, evaluate how likely it is to happen and how severe it would be. Use risk ratings (e.g., high/medium/low risk) based on ICO guidance.

  • Risks to the Company: Also consider legal and business risks to the Company: breach of contract or law, fines, loss of client trust, etc. However, priority is individuals' risk.

  • Document Findings: The team will document the risk assessment in the incident log. This documentation is important if notification to the ICO is required, as the decision will hinge on whether the breach is "likely to result in a risk to the rights and freedoms of individuals" (which triggers ICO notification) or "high risk" (which triggers individual notification).

 

Notification Determination: Based on the risk assessment:

  • Notify ICO: If the breach is likely to result in a risk to individuals (even if not high risk), the ICO must be notified without undue delay and within 72 hours of when we became aware of the breach. The incident lead will draft a notification report for the ICO including:

    • A description of the breach (e.g., "On [date], an unencrypted company laptop containing customer records was stolen from an employee’s car").

    • Categories and approximate number of data subjects and data records concerned (if known).

    • The likely consequences of the breach (risks anticipated).

    • Measures taken or proposed to address the breach (containment and future mitigation).

    • Contact details of our DPO or incident lead.

  • If complete information is not available within 72 hours, we will send an initial notification within 72 hours and follow up with supplemental info as soon as possible. We will also record reasons for any delay beyond 72 hours (should that occur).

  • Notify Individuals: If the breach is likely to result in a high risk to the rights and freedoms of individuals, we will also notify the affected individuals without undue delay. "High risk" means the potential for significant harm (financial, identity theft, personal safety, etc.). The notification to individuals will:

    • Be in clear, plain language, explaining the nature of the breach and likely consequences.

    • Include contact info for our DPO or incident lead.

    • Describe measures we have taken or will take to mitigate the breach’s effects.

    • If applicable, advise specific steps for individuals to protect themselves (e.g., “reset your passwords,” “monitor your bank statements for fraudulent activity,” or "be vigilant for scam calls").

  • We will choose an appropriate method to reach individuals (e.g., direct email, phone call for serious cases, postal letter if needed). If contacting all individuals is overly burdensome (e.g., lack of contact info), we may use a public communication (like a prominent website notice or press release) but will coordinate that with ICO guidance.

    • Exceptions: We may not notify individuals if we have implemented subsequent measures that ensure high risk is no longer likely (e.g., data was strongly encrypted) or if notification would involve disproportionate effort (in which case a public notice would suffice), or if the ICO agrees it's not needed. All decisions and rationales will be documented.

  • Other Notifications: If the breach involves other organisations' data (say we process for a partner) or if law enforcement needs to be informed (e.g., theft or cybercrime), we will also notify those parties as appropriate. For example, if bank account details are compromised, we might alert relevant banks to watch for fraud; if it involves our IT provider’s systems, we work with them to ensure they notify any regulator if required.

 

Breach Response and Remediation:

  • Investigation: The incident response team will continue to investigate how the breach occurred and whether all containment steps were effective. This could involve forensic analysis of logs, interviewing staff involved, reviewing CCTV if a physical breach occurred, etc. The goal is to understand the root cause (human error, system vulnerability, malicious attack, etc.).

  • Fix Vulnerabilities: Based on what we find, we will implement remedial measures to prevent a similar breach:

    • If human error (e.g., mis-sending an email), consider refresher training or technical controls (like email DLP software that warns before sending many records).

    • If technical (e.g., server misconfiguration, outdated software), immediately fix those issues (update configurations, apply patches) and scan for other similar weaknesses.

    • If procedural (e.g., lack of protocol for backing up and encrypting laptops), update policies and enforce them (like requiring encryption on all portable devices, as per company policy).

  • Disciplinary Action: If the breach occurred due to negligence or deliberate policy violation by an employee or contractor, management will follow up per our HR policies. The emphasis is on correcting behaviour and preventing recurrence, but serious negligence or willful disregard of security might result in disciplinary measures.

  • Communication: We will keep relevant stakeholders informed throughout. Internally, key management will be kept up to date on progress. If individuals were notified, we may also provide updates to them if new important information emerges (e.g., we recovered stolen data or identified the perpetrator with police help).

  • Documentation: Every step taken – from initial report, containment actions, risk assessment, notifications (with copies of any communications to ICO or individuals), to final remedial actions – will be documented in the Breach Report. The Breach Report will also include a timeline of events and personnel involved. This report serves both as evidence of our response (should ICO inquire further) and as a learning document for future improvement.

 

Post-Incident Review and Improvement:

  • After resolving an incident, the DPO or incident lead will organise a post-mortem meeting with the response team and relevant management. The aim is to evaluate:

    • Effectiveness: Were our detection and response procedures adequate? Did staff know how to report? Was containment quick? Did we meet the 72-hour notification deadline?

    • Root Cause Fixes: Are the measures put in place sufficient to prevent recurrence? Do we need to invest in better security (e.g., new software, more training, additional staffing)?

    • Lessons Learned: Identify any gaps in our policy or procedures that the incident revealed. For example, maybe we discovered not all laptops were encrypted – thus policy enforcement was lacking. Or that our customer database was accessible with weak credentials – thus need to strengthen authentication.

  • Action Plan: The outcome of the review will be a set of action items. These might include: updating specific security policies, conducting company-wide security training refreshers, improving our breach response plan itself, or deploying new security tools. We assign owners and deadlines to each action.

  • Monitoring: The Company will monitor implementation of the improvements. The DPO or designated security officer will report to senior management on progress. We may also consider scheduling an internal or external audit to ensure that similar vulnerabilities have been addressed across the board.

  • Trend Analysis: The DPO maintains the breach log. Periodically (at least annually), they will analyse breach incidents (including "near misses") to identify patterns or common issues. For example, if multiple incidents stemmed from emails sent in error, that indicates a need for better email precautions or training. If multiple malware incidents occurred, perhaps better endpoint protection is needed. The Company’s management will review these trends as part of our ongoing risk assessment and continuous improvement in our data protection governance.

 

Training and Awareness:

  • Employee Training: All employees receive training on data protection and security procedures, including how to recognise and report a data breach. This happens at induction and through regular refreshers (at least annually). The training covers practical guidance, such as double-checking email recipients, using strong passwords, identifying phishing attempts, and the importance of prompt breach reporting.

  • Breach Drills: We may conduct periodic incident response drills or tabletop exercises to ensure that staff (especially those on the response team) are familiar with this policy and can act swiftly. These drills might simulate, for example, a lost device scenario or a ransomware attack, to practice decision-making and notifications.

  • Culture: We foster an environment where reporting incidents is encouraged. Management reinforces that reporting a mistake (like emailing the wrong person) is the right thing to do and that honesty will help mitigate damage. We include breach response discussion in team meetings from time to time to keep awareness high.

 

Compliance and Review of Policy:

  • This Data Breach Policy aligns with the requirements of the UK GDPR (Articles 33, 34) and guidance from the ICO on breach response. The Company will review this policy at least every year or after any significant breach incident, whichever is sooner, and update it if needed. We will take into account any changes in law or guidance, and our own experiences dealing with incidents.

  • Any updates to the policy will be approved by [senior management title, e.g., the Managing Director] and communicated to all employees (with additional training provided if substantive changes are made).

  • Accountability: The Company’s leadership supports proper breach management as part of our duty under GDPR’s accountability principle. We maintain evidence (logs, reports) to demonstrate we handle personal data breaches appropriately. We also consider external audits or checks on our incident handling as part of our overall data protection compliance programme.

By following this Data Breach Policy, we aim to respond to any data security incidents swiftly and effectively, thereby protecting our customers, employees, and the Company from harm. All staff and associates must adhere to these procedures and cooperate fully in the event of a data breach to achieve the best possible outcome.

bottom of page