Last updated: 19/08/2025

1. Purpose

This procedure sets out the steps to follow in the event of a personal data breach at Simon Kerr Fitness (SKF). It ensures compliance with the UK GDPR and the Data Protection Act 2018, and helps minimise risks to individuals’ rights and freedoms.

2. What is a Data Breach?

A data breach is any incident that results in:

• Unauthorised access to personal data

• Loss or theft of data (digital or paper)

• Accidental disclosure of personal data to the wrong recipient

• Data corruption making information unavailable

• Hacking, phishing, or malware attacks affecting client records

3. Detection & Reporting

Any suspected or actual data breach must be reported immediately to Simon Kerr (Data Controller).

If you are the one discovering the breach, document the time, nature of the breach, and how it was discovered.

4. Containment & Recovery

Take immediate steps to contain the breach (e.g. revoke access, change passwords, retrieve wrongly sent emails, isolate affected systems).

Secure any physical files if paper data is involved.

Work with third-party providers (e.g. payment processors, storage systems) if the breach relates to their services.

5. Risk Assessment

The following questions should be considered:

• What type of data is involved (contact, financial, health, etc.)?

• How many individuals are affected?

• What harm could result (identity theft, fraud, reputational damage, distress)?

• Can the risk be reduced through immediate action?

6. Notification Requirements

ICO Notification: If the breach is likely to result in a risk to individuals’ rights and freedoms, it must be reported to the Information Commissioner’s Office (ICO) within 72 hours.

Client Notification: If the breach poses a high risk to affected clients, they will be notified promptly, including:

• The nature of the breach

• The data affected

• The likely consequences

• Steps taken to mitigate harm

• Contact details for further support

7. Documentation

All breaches, whether reportable or not, must be documented in a Data Breach Log.

Records should include:

• Date and time of breach

• Nature of breach

• Individuals affected

• Actions taken

• Whether ICO/clients were notified

8. Review & Prevention

Following a breach, procedures will be reviewed to prevent recurrence.

• Security measures (e.g. stronger passwords, software updates) will be reinforced.

• This procedure will be reviewed annually or following any significant incident.