Data Breach Response Policy

1. Purpose

This policy explains how DocRide identifies, assesses, escalates and responds to suspected personal data breaches affecting DocRide systems or customer data.

2. What is a personal data breach?

A personal data breach is a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

3. Response stages

1. Identify: detect and log suspected incidents through monitoring, support reports or internal escalation.
2. Contain: take immediate steps to limit further access, loss or damage.
3. Assess: determine what happened, data affected, systems involved, number of people affected and likely risk.
4. Notify: notify affected customers without undue delay where DocRide acts as processor; notify the ICO within 72 hours where DocRide acts as controller and notification is required.
5. Remediate: fix vulnerabilities, reset credentials, restore data where possible and strengthen controls.
6. Review: document lessons learned and update controls, policies and training.

4. Customer notification

Where a breach affects Customer Personal Data and DocRide acts as processor, DocRide will notify the affected customer without undue delay after becoming aware of the breach. The notice will include information reasonably available to DocRide, such as the nature of the breach, data affected, likely consequences and measures taken or proposed.

5. Regulator and individual notification

Where DocRide acts as controller, we will assess whether the breach is likely to result in a risk to individuals' rights and freedoms. If required, we will notify the ICO within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk to individuals, we will notify affected individuals unless an exemption applies.

Where the customer acts as controller, the customer is responsible for deciding whether to notify regulators or individuals, with reasonable assistance from DocRide where required by the DPA.

6. Incident record

DocRide will maintain an internal breach register recording facts, effects, decisions, notifications, remediation and lessons learned, including incidents that do not require notification.

7. Contact

Suspected privacy or security incidents should be reported immediately to info@docride.co.uk.

8. Related legal documents

• Legal Centre
• Privacy Policy
• Cookie Policy
• Data Processing Agreement
• AI Processing Notice
• Subprocessor Policy
• Data Retention Policy
• International Data Transfers
• User Agreement