top of page

DATA BREACH & INCIDENT REPORTING POLICY

EJ’s Pursuits Ltd
(UK GDPR & Data Protection Act 2018 Compliant)

 

1. Purpose of This Policy

This policy outlines how EJ’s Pursuits Ltd identifies, manages, and reports personal data breaches in compliance with:

  • UK GDPR

  • Data Protection Act 2018

  • ICO (Information Commissioner’s Office) guidance

A “data breach” includes any event that results in:

  • unauthorised access to personal data

  • accidental loss, destruction, or alteration of data

  • theft of data

  • unlawful disclosure

 

2. What Is a Personal Data Breach?

A data breach may include (but is not limited to):

  • Lost or stolen devices containing customer data

  • Hacking, malware, or cyber-attacks

  • Sending customer information to the wrong recipient

  • Unauthorised access by staff or third parties

  • Accidental deletion of essential data

  • Loss of paper documents containing personal details

 

3. Incident Detection & Reporting

3.1 Staff Responsibilities

All staff must immediately report any suspected breach to the Data Controller at EJ’s Pursuits Ltd.

Reports should include:

  • What happened

  • When it happened

  • What data may be affected

  • Who may be impacted

  • Any actions already taken

3.2 Internal Contact for Breach Reporting

Data Controller – EJ’s Pursuits Ltd
📧 info@ejspursuits.co.uk
📞 01843 621357

 

4. Breach Assessment Process

Once a breach is reported, we will:

Step 1 – Contain the Breach

Secure systems, restrict access, recover lost data, and halt further data loss.

Step 2 – Assess the Risks

We determine:

  • the categories and volume of data involved

  • whether sensitive or regulated data is affected (e.g., firearms certificate numbers, ID documents)

  • who is impacted

  • the likelihood of harm (fraud, identity theft, safety issues, etc.)

Step 3 – Record the Incident

All breaches, regardless of severity, are logged in our Data Breach Register with:

  • incident summary

  • corrective action taken

  • long-term preventative measures

 

5. Reporting to the ICO (Information Commissioner’s Office)

Under UK GDPR, EJ’s Pursuits Ltd must notify the ICO within 72 hours if a breach is likely to result in:

  • risk to individuals’ rights

  • identity theft risk

  • financial loss

  • confidentiality breaches

  • reputational damage

  • threats to personal safety

If notification is required, we will include:

  • the nature of the breach

  • categories and volume of affected data

  • contact details of our Data Protection lead

  • likely consequences

  • actions taken or proposed

If we decide not to notify the ICO, we will document our reasoning.

 

6. Notifying Affected Customers

We will notify individuals as soon as reasonably possible if the breach is likely to result in:

  • financial risk

  • identity theft

  • exposure of sensitive documents (e.g., ID verification)

  • risk to personal safety

Our notification will include:

  • a clear description of the breach

  • the data involved

  • recommended steps customers should take

  • how we are mitigating the impact

  • our contact details for further assistance

 

7. Working With Third-Party Partners

Many services involve third-party processors such as:

  • couriers

  • payment providers

  • website hosting & IT support

  • marketing platforms

Where a breach occurs with a third-party partner:

  • They must notify EJ’s Pursuits Ltd immediately

  • We will work with them to assess and contain the breach

  • EJ’s Pursuits Ltd remains responsible for ensuring legal compliance

All partners are contractually required to meet UK GDPR standards.

 

8. Preventative Security Measures

EJ’s Pursuits Ltd uses a variety of tools and practices to reduce the risk of breaches:

  • Secure cloud and internal servers

  • Encrypted systems

  • Up-to-date antivirus and anti-malware

  • Strong password policies & two-factor authentication

  • Staff training in data protection

  • Regular audits and access reviews

  • Secure handling of firearms/age-verification documents

 

9. Record Keeping

We maintain a Data Breach Register containing:

  • Date & time of breach

  • Nature of incident

  • Data affected

  • Number of individuals affected

  • Decisions regarding ICO reporting

  • Notifications to customers

  • Corrective and preventative actions

Records are kept for a minimum of six years.

 

10. Policy Review

This policy is reviewed annually or sooner if:

  • legislation changes

  • new systems are introduced

  • significant incidents occur

All updates will be published on our website.

bottom of page