Policies & Guidelines > Data Privacy and Incident Response Policy

Data Privacy and Incident Response Policy

Effective Date: 1st September 2021

Last Updated: November, 2025

1. Purpose

This policy outlines how Cimple manages and responds to data privacy incidents to protect personal data and maintain compliance with applicable laws, including the UK GDPR and ISO/IEC 27001:2022 principles. It demonstrates Cimple’s commitment to prompt, transparent, and compliant handling of any data breach or privacy event.

2. Our Approach to Incident Management

Cimple maintains a structured process for identifying, assessing, and resolving data privacy incidents. Our internal Incident Response Team (IRT), is led by our Data Protection Officer (DPO), who coordinates investigations, containment, and recovery efforts. Where required, external specialists may be engaged to support forensic analysis or legal advice.

3. Detection and Reporting

All staff are regularly trained to recognise and report potential data incidents immediately, Training is conducted quarterly and reporting, escalation and awareness is embedded within Cimples technology processes. Cimple utilises technical and organisational controls, such as access monitoring and intrusion detection systems, to identify unusual activity or potential data breaches in line with ISO/IEC 27001 controls and Cyber essentials and Cyber essentials Plus. 

4. Response and Containment

When a data privacy incident occurs:

• The incident is logged and assessed for severity. With all data incidents logged in a business centralised tracker. 

• Containment actions are taken to prevent further exposure.

• Root cause analysis and corrective measures are implemented to prevent recurrence. Every stage of the response is documented to maintain accountability and continuous improvement.

5.  Notification Obligations

In accordance with UK GDPR:

• Cimple will notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of a personal data breach, unless it is unlikely to result in a risk to individuals’ rights and freedoms.

• If the incident poses a high risk to affected individuals, Cimple will inform those individuals directly with details on the nature of the breach, potential impact, and recommended actions.

6. Post-Incident Review

Following every confirmed incident:

• A formal review is conducted to evaluate the effectiveness of our response and update our controls.

• Lessons learned are integrated into our Information Security Management System (ISMS).

• Additional staff awareness or technical training is carried out where necessary.

7. Training and Awareness

All staff receive ongoing GDPR and information security training to ensure awareness of reporting procedures and responsibilities. Cimple also conducts regular drills to test the readiness and effectiveness of our incident response procedures and business continuity as a result.

8. Review

This policy is reviewed at least every 24 months or following any significant change in regulatory requirements, data processing activities, or organisational structure.

9. Contact

For privacy-related questions or to report a potential incident, contact:  team@cimple.uk

Need help? Feel free to reach out to us if you have any questions.