Data Breach Procedure

Last Updated: February 2026

1. Purpose

This procedure sets out how Harmonic Action Ltd identifies, manages and reports personal data breaches in accordance with UK GDPR.

2. Definition of a personal data breach

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

3. Reporting a suspected breach

Any person working on behalf of Harmonic Action Ltd who becomes aware of a suspected personal data breach must notify a Director immediately.

Prompt reporting is essential to ensure legal compliance and risk mitigation.

4. Containment and assessment

Upon becoming aware of a potential breach, Harmonic Action Ltd will:

  • Take steps to contain the incident

  • Assess the nature of the data involved

  • Assess the number and type of individuals affected

  • Consider the likely risk to individuals’ rights and freedoms

All breaches, whether notifiable or not, will be recorded.

5. Notification to the Information Commissioner’s Office (ICO)

Where a breach is likely to result in a risk to the rights and freedoms of individuals, Harmonic Action Ltd will notify the ICO without undue delay and, where feasible, within 72 hours of becoming aware of the breach.

If notification is not made within 72 hours, reasons for delay will be documented.

If the breach is unlikely to result in a risk to individuals, notification to the ICO will not be required.

6. Notification to individuals

Where a breach is likely to result in a high risk to the rights and freedoms of individuals, affected individuals will be informed without undue delay.

Notification will include:

  • A description of the nature of the breach

  • Contact details for further information

  • Likely consequences

  • Measures taken or proposed

Notification will not be required where:

  • Data was protected by appropriate safeguards (e.g., encryption), or

  • Measures have been taken to eliminate the high risk.

7. Record keeping

All personal data breaches, including those not reported to the ICO, will be documented. Records will include:

  • Facts relating to the breach

  • Effects of the breach

  • Remedial action taken

Breach records will be retained for 6 years.

8. Responsibility

A Director of Harmonic Action Ltd is responsible for overseeing data protection compliance and breach management.

Address

128 City Road, London, EC1V 2NX

Subscribe to stay in touch
Contacts

info@harmonicaction.com
LinkedIn

Company

Registered Company No. 13105152

Copyright © 2025 Harmonic Action Ltd

View our Privacy Notice online