1.0 Introduction

1.1 Please Hold (UK) Ltd (t/a PHMG) holds and processes basic personal data that needs to be suitably protected.

1.2 Every care is taken to protect personal data from incidents (either accidentally or deliberately) to avoid a data protection breach that could compromise security.

1.3 Compromise of information, confidentiality, integrity, or availability may result in harm to individual(s), reputational damage, detrimental effect on service provision, legislative noncompliance, and/or financial costs.


2.0 Purpose

2.1 PHMG is obliged under the General Data Protection Regulation (GDPR) to have in place an institutional framework designed to ensure the security of all personal data during its lifecycle, including clear lines of responsibility.

2.2 This Policy sets out the procedure to be followed to ensure a consistent and effective approach is in place for managing a data breach and information security incidents.


3.0 Scope

3.1 This Policy relates to all personal data held by PHMG regardless of format.

3.2 This Policy applies to all at PHMG, including suppliers and data processors working for, or on our behalf.

3.3 The objective of this Policy is to contain any breaches, to minimise the risk associated with the breach and consider what action is necessary to secure personal data and prevent further breaches.


4.0 Definition / Types of Breach

4.1 For the purpose of this Policy, data security breaches include both confirmed and suspected incidents.

4.2 An incident in the context of this Policy is an event or action which may compromise the confidentiality, integrity or availability of systems or data, either accidentally or deliberately, and has caused or has the potential to cause damage to PHMGs information assets and/or reputation.

4.3 An incident includes but is not restricted to, the following:

  • Loss or theft of confidential or sensitive data or equipment on which such data is stored (e.g. loss of laptop, USB stick, iPad/tablet device, or paper record)
  • Equipment theft or failure
  • Unauthorised use of, access to or modification of data or information systems
  • Attempts (failed or successful) to gain unauthorised access to information or IT system(s)
  • Unauthorised disclosure of sensitive / confidential data
  • Website defacement
  • Hacking attack
  • Unforeseen circumstances such as a fire or flood
  • Human error
  • ‘Blagging’ offences where information is obtained by deceiving the organisation who holds it

5.0 Reporting an incident

5.1 Any individual who accesses, uses or manages PHMG’s information is responsible for reporting data breach and information security incidents immediately to the Data Protection Officer through gdpr@phmg.com .

5.2 If the breach occurs or is discovered outside normal working hours, it must be reported as soon as is practicable.

5.3 The report will include full and accurate details of the incident, when the breach occurred (dates and times), who is reporting it, if the data relates to people, the nature of the information, and how many individuals are involved. An Incident Report Form should be completed as part of the reporting process. See Appendix 1

5.4 All staff should be aware that any breach of GDPR may result in the disciplinary procedures being instigated.


6.0 Containment and Recovery

6.1 The Data Protection Officer (DPO) will firstly determine if the breach is still occurring. If so, the appropriate steps will be taken immediately to minimise the effect of the breach.

6.2 An initial assessment will be made by the DPO to establish the severity of the breach.

6.3 The DPO will establish whether there is anything that can be done to recover any losses and limit the damage the breach could cause.

6.4 The DPO will establish who may need to be notified as part of the initial containment and will inform the police, where appropriate.

6.5 Advice from experts across PHMG may be sought in resolving the incident promptly.

6.6 The DPO will determine the suitable course of action to be taken to ensure a resolution to the incident.


7.0 Investigation and Risk Assessment

7.1 An investigation will be undertaken by the DPO immediately and wherever possible within 72 hours of the breach being discovered / reported.

7.2 The DPO will investigate the breach and assess the risks associated with it, for example, the potential adverse consequences for individuals, how serious or substantial those are and how likely they are to occur.

7.3 The investigation will need to take into account the following:

  • The type of data involved
  • Its sensitivity
  • The protections are in place (e.g. encryptions)
  • What’s happened to the data, has it been lost or stolen
  • Whether the data could be put to any illegal or inappropriate use
  • Who the individuals are, number of individuals involved and the potential effects on those data subject(s)
  • Whether there are wider consequences to the breach



8.0 Notification

8.1 The DPO, in consultation with the IT department will determine who needs to be notified of the breach.

8.2 Every incident will be assessed on a case by case basis; however, the following will need to be considered:

  • Whether there are any legal/contractual notification requirements;
  • Whether notification would assist the individual affected – could they act on the information to mitigate risks?
  • Whether notification would help prevent the unauthorised or unlawful use of personal data?
  • Would notification help PHMG meet its obligations in a way in which the data subject can contact PHMG for further information or to ask questions on what has occurred?

8.4 The DPO must consider notifying third parties such as the police, insurers, bank or credit card companies, and trade unions. This would be appropriate where illegal activity is known or is believed to have occurred, or where there is a risk that illegal activity might occur in the future.

8.5 The DPO will consider whether a press release needs to be communicated and to be ready to handle any incoming press enquiries.

8.6 All actions will be recorded by the DPO.


9.0 Evaluation and response

9.1 Once the initial incident is contained, the DPO will carry out a full review of the causes of the breach; the effectiveness of the response(s) and whether any changes to systems, policies and procedures should be undertaken.

9.2 Existing controls will be reviewed to determine their adequacy, and whether any corrective action should be taken to minimise the risk of similar incidents occurring.

9.3 The review will consider:

  • Where and how personal data is held and where and how it is stored
  • Where the biggest risks lie, and will identify any further potential weak points within its existing measures
  • Whether methods of transmission are secure; sharing minimum amount of data necessary
  • Identifying weak points within existing security measures
  • Staff awareness
  • Implementing a data breach plan and identifying a group of individuals responsible for reacting to reported breaches of security

9.4 If deemed necessary a report recommending any changes to systems, policies and procedures will be considered by PHMG.





Data Breach Report Form

Please act promptly to report any data breaches. If you discover a data breach, please notify the Data Protection Officer immediately, complete Section 1 of this form and email it to the DPO at gdpr@phmg.com.

Section 1: Notification of Data Security Breach

To be completed by person reporting incident

Date incident was discovered:


Date(s) of incident:


Place of incident:


Name of person reporting incident:


Contact details of person reporting incident (email address, telephone number):


Brief description of incident or details of the information lost:


Number of Data Subjects affected, if known:


Has any personal data been placed at risk? If, so please provide details:


Brief description of any action taken at the time of discovery:



For use by the Data Protection Officer

Received by:


On (date):


Forwarded for action to:


On (date):




Section 2: Assessment of Severity

To be completed by the DPO in consultation with the Head of department affected by the breach:

Details of information loss:


What is the nature of the information lost?


How much data has been lost? If laptop lost/stolen: how recently was the laptop backed up onto central


IT systems?


Is the information unique? Will its loss have adverse operational, research, financial legal, liability or reputational consequences for PHMG or third parties?


How many data subjects are affected?


Is the data bound by any contractual security arrangements?


What is the nature of the sensitivity of the data?


Please provide details of any types of information that fall into any of the following categories:


HIGH RISK personal data

Sensitive personal data (as defined in the GDPR) relating to a living, identifiable individual’s


a) Racial or ethnic origin;


b) Political opinions or religious or philosophical beliefs;


c) Membership of a trade union;


d) Physical or mental health or condition or sexual life;


e) Commission or alleged commission of any offence, or


f) Proceedings for an offence committed or alleged to have been committed by the data subject, the disposal of such proceedings or the sentence of any court in such proceedings.


  • Information that could be used to commit identity fraud such as; personal bank account and other financial information; national identifiers, such as National Insurance Number and copies of passports and visas;


  • Personal information relating to vulnerable adults and children;


  • Detailed profiles of individuals including information about work performance, salaries or personal life that would cause significant damage or distress to that person if disclosed;


  • Security information that would compromise the safety of individuals if disclosed.


Data Protection Officer to consider whether it should be escalated to the board at PHMG




Section 3: Action taken

To be completed by Data Protection Officer

Incident number

e.g. year/001

Report received by:


On (date):


Action taken by responsible officer/s:








Was incident reported to Police?


If YES, notified on (date):

Follow up action required/recommended:


Reported to Data Protection Officer on (date):


Reported to other internal stakeholders (details, dates):



For use of Data Protection Officer:

Notification to ICO

YES/NO If YES, notified on:


Notification to data subjects

YES/NO If YES, notified on:


Notification to other external, regulator/stakeholder

YES/NO If YES, notified on: