Data Breach Assessment Checklist

1

Incident Details

Incident Reference Number

Reported By

Date Breach Occurred

Date Breach Discovered

Time Discovered

72-Hour Deadline

Calculate: Discovery date/time + 72 hours

Brief Description of the Incident

2

Type of Breach

A personal data breach can involve confidentiality, integrity, and/or availability. Select all that apply:

Confidentiality breach — Unauthorised or accidental disclosure of, or access to, personal data (e.g., email sent to wrong recipient, hacking, lost device) Integrity breach — Unauthorised or accidental alteration of personal data (e.g., data corrupted, records modified without authorisation) Availability breach — Unauthorised or accidental loss of access to, or destruction of, personal data (e.g., ransomware attack, accidental deletion without backup)

3

Data and Individuals Affected

Approximate Number of Individuals Affected

Approximate Number of Records Affected

Categories of Individuals Affected

Employees / Staff Customers / Clients Suppliers / Contractors Children (under 18) Vulnerable individuals Other (specify below)

Special Category / Criminal Data

If any special category or criminal conviction data is involved (marked with ⚠️), this significantly increases the likelihood that the breach is reportable and that individuals should be notified.

4

Risk Assessment

Consider the potential consequences for affected individuals. Check all risks that may apply:

Identity theft or fraud — Data could be used to impersonate individuals Financial loss — Direct monetary harm to individuals Damage to reputation — Personal or professional reputational harm Discrimination — Risk of discriminatory treatment Emotional distress — Psychological impact on individuals Physical harm — Risk to physical safety Loss of confidentiality — Breach of professional secrecy Social disadvantage — Exclusion or social harm

Overall Risk Level Assessment

Unlikely to result in risk — No significant impact expected Risk to rights and freedoms — Some impact likely (REPORT TO ICO) High risk to rights and freedoms — Significant impact likely (REPORT TO ICO + NOTIFY INDIVIDUALS)

Factors Increasing Risk

Special category or criminal data involved
Large number of individuals affected
Vulnerable individuals affected (children, patients, etc.)
Data could be combined with other data to cause harm
Data is not encrypted or otherwise protected
Breach was caused by malicious action
Data has been or may be publicly disclosed

5

Mitigating Factors

Are there any factors that reduce the risk of harm? Check all that apply:

Data was encrypted and encryption key was not compromised Data has been recovered with no evidence of access/copying Recipient is trusted and has confirmed secure deletion Data is unlikely to be usable (e.g., out of date, incomplete) Data can be restored from backup (for availability breaches) Breach has been contained and cannot spread further

Additional Mitigation Notes

6

Notification Decision

ICO Notification

✓ Report to ICO

The breach is likely to result in a risk to individuals' rights and freedoms

✗ Do Not Report

The breach is unlikely to result in a risk to individuals' rights and freedoms

Individual Notification

✓ Notify Individuals

The breach is likely to result in a HIGH risk to individuals' rights and freedoms

✗ Do Not Notify

The risk level does not meet the threshold for individual notification

Rationale for Decision

This documentation is essential for demonstrating accountability to the ICO

7

Containment and Remedial Actions

Immediate Actions Taken

Future Preventive Measures

8

Assessment Sign-off

Assessor Name

Role / Title

Signature

Date

Record Keeping

You must document all breaches, regardless of whether they are reported to the ICO. Keep this completed assessment securely for at least 6 years. The ICO may request to see your breach records during an audit or investigation.