OSCABEManaged Remote Employees

Personal Data Breach Notification Policy

Version 2026.05Effective 1 May 2026Next review 1 May 2027

This Personal Data Breach Notification Policy implements Article 33 and 34 UK GDPR / EU GDPR and applies to OSCABE LTD and all sub-processors.

1. What counts as a breach

A "personal data breach" is any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Examples include:

  • Misdirected email containing personal data
  • Lost or stolen laptop, phone or USB stick holding personal data
  • Unauthorised database access
  • Ransomware affecting systems that hold personal data
  • A sub-processor reporting a breach to us

2. Detection and triage

Breaches may surface via:

  • Automated alerts (intrusion detection, anomaly detection)
  • Staff or contractor reports - every team member must report a suspected breach to info@oscabe.com within 4 hours of becoming aware
  • Sub-processor notifications under their DPAs
  • External reports from data subjects, customers or researchers

The CEO (Data Protection Lead) is responsible for triage. The initial assessment, including severity, scope, and notifiability, is completed within 24 hours of the breach being reported.

3. Notifying the ICO

We notify the UK ICO within 72 hours of becoming aware of a notifiable breach. The notification covers:

  • Nature of the breach (categories and approximate number of data subjects and records concerned)
  • Likely consequences
  • Measures taken or proposed
  • Contact point for follow-up

If full information is not available within 72 hours we will provide what we have and supplement it as facts emerge.

Where the breach affects EU data subjects we notify the lead supervisory authority of the EEA jurisdiction concerned in parallel.

4. Notifying affected individuals

Where the breach is likely to result in a high risk to the rights and freedoms of natural persons we will notify those individuals without undue delay. The notification will use clear, plain language and describe:

  • The nature of the breach
  • The likely consequences
  • Measures taken or proposed
  • A contact point for questions
  • Specific recommended actions (e.g. password reset, watch for phishing)

We may delay individual notification on advice of law enforcement.

5. Notifying Clients (when OSCABE is processor)

Where the breach affects personal data we process for a Client, we will notify that Client within 36 hours of becoming aware. The Client remains responsible for any ICO and data subject notifications relating to their controller obligations; OSCABE provides assistance under Art 28(3)(f).

6. Containment and remediation

Containment actions may include: revoking sessions, rotating credentials, isolating affected systems, blocking the abuse channel, restoring from clean backup, and patching the underlying vulnerability.

We complete a root-cause analysis within 10 business days of containment and update controls accordingly.

7. Record keeping

We maintain a Breach Register containing all breaches (notifiable or not), the facts, effects and remedial action. Records are kept for 6 years to support accountability under Art 5(2).

8. Testing

We run an annual tabletop breach exercise covering at least one of: ransomware on production data, misdirected mass email, and credential compromise.