Skip to content

What is a Data Breach Response Plan?

If your business collects personal information about your customers, you and your employees should know how to minimise the impacts of a data breach. Data breaches are common and impact even large international companies, such as Uber, Equifax and Ashley Madison. Failing to address a data breach adequately can lead to hefty fines. Therefore, you should proactively establish a data breach response plan so you have a strategy ready if a breach does occur. This article sets out the benefits of having a data breach response plan and outlines the process of setting one up.

What is a Data Breach?

A data breach refers to unauthorised access, disclosure or loss of personal information. A data breach can be caused by events such as intentional hacking, human error or technical error. Personal information is information about an identified individual or an individual who is reasonably identifiable. Some typical examples of personal information which you must take extra steps to protect include a person’s:

  • name;
  • date of birth;
  • email address;
  • occupation;  
  • gender; and
  • more sensitive details such as health information.

What is a Data Breach Response Plan?

A data breach response plan sets out the roles and responsibilities of your business when managing a data breach. Overall, this document describes the steps your team will take if a data breach occurs and how to mitigate potential damage.

Continue reading this article below the form
Loading form

Do I Need a Data Breach Response Plan?

The Australian Privacy Principles (APPs) outline how government agencies, private businesses and not-for-profit organisations must manage personal information. Generally, this applies to entities with an annual turnover of more than $3 million. However, organisations with less than $3 million in turnover may also be subject to the APPs if they trade in personal information or provide health services.

If your needs to comply with the APPs, you must take reasonable steps to protect personal information from:

  • misuse, interference and loss; and
  • unauthorised access, modification or disclosure.

However, you are not legally obligated to implement a data breach response plan into your business dealings. Instead, you should consider it a proactive measure to help your business act quickly if a breach occurs. Overall, the plan is intended to improve your odds of minimising the damage to your consumers and business during a breach.

What Should the Data Breach Response Plan Include?

Your plan should include a response process which contains detailed information on:

  • what a data breach is and how your employees can identify a breach;
  • the members of your data response team and the correct point of contact;
  • how to contain a data breach;
  • how to assess the risks of a data breach;
  • the steps a response team should follow after being notified of a potential breach;
  • how to notify the people whose information was breached;
  • how to ensure any breach notifications follow the Notifiable Data Breaches scheme;
  • the correct process to document data breaches, including those incidents which are not escalated to the response team; and
  • how to review an incident and prevent future breaches.

Your Data Breach Response Team

Having well-trained staff who can deal with a data breach will assist in minimising the data breach’s damage. While all your staff should have some data breach training, you should additionally establish—if possible—a specific response team.

It is crucial to act promptly during a data breach. Therefore, anyone on your response team should have the authority to act independently without seeking permission from senior management. Further, you should ensure the members’ contact details are up-to-date and that other staff can easily contact the team. Generally, a data breach response team will include:

  • a team leader who leads the data breach response team and reports to the senior management team;
  • a project manager who coordinates the work of the data breach response team;
  • a privacy officer who is the privacy expert in the data breach response team; and
  • a legal officer who provides legal insights and advice to the rest of the team.

Lastly, your team may include additional support and specialist roles such as:

  • risk management;
  • information and communications technology forensics;
  • information and records management;
  • human resources; and
  • media and communications.

Maintaining Your Data Breach Response Plan

You should ensure your staff are aware of where you have stored the data breach response plan. This is particularly important if your work regularly takes you away from the office. Additionally, your staff should be aware of the practical response procedures, not just the theory. It may be helpful to role-play hypothetical data breach scenarios to better prepare your response team.

Finally, you should regularly review your data breach response plan. This is to ensure it reflects the way your business currently handles data and personal information. As such, you may benefit from scheduling response plan reviews every six months or even more regularly.

Key Takeaways

The best way to prepare for an efficient data breach response is to implement a data breach response plan. This will set out the roles and responsibilities of your team members if your business suffers a data breach. The plan should describe in detail the steps those involved will need to take to minimise potential damage.

Consequently, your plan should include a data breach response process to guide your team in identifying and responding to eligible data breaches. Combined with adequate training, and if implemented correctly, your plan may limit your liability if a data breach would ever occur.

If you need further assistance with preparing a data breach response plan or complying with Australian privacy law, call LegalVision’s IT lawyers on 1300 544 755 or fill out the form on this page.

Register for our free webinars

ACCC Merger Reforms: Key Takeaways for Executives and Legal Counsel

Online
Understand how the ACCC’s merger reforms impact your legal strategy. Register for our free webinar.
Register Now

Ask an Employment Lawyer: Contracts, Performance and Navigating Dismissals

Online
Ask an employment lawyer your contract, performance and dismissal questions in our free webinar. Register today.
Register Now

Stop Chasing Unpaid Invoices: Payment Terms That Actually Work

Online
Stop chasing late payments with stronger terms and protections. Register for our free webinar.
Register Now

Managing Psychosocial Risks: Employer and Legal Counsel Responsibilities

Online
Protect your business by managing workplace psychosocial risks. Register for our free webinar.
Register Now
See more webinars >
Johan Lundstedt

Johan Lundstedt

Read all articles by Johan

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards