Data Breach Policy

1. Introduction

1.1. HTS (Property and Environment) Limited is registered with the Information Commissioner as a Data Controller (Registration No. ZA213736) – an organisation that processes personal data.  All Data Controllers have a responsibility under the Data Protection legislation and General Data Protection Regulation (GDPR) to comply with the requirements of the integrity and confidentiality principle of the GDPR. That is to ensure that the appropriate technical and organisational processes are in place to protect the personal data collected by HTS.

1.2. Article 5(1)(f) of the GDPR states that organisations which process personal data must be “Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.

1.3. No organisation handling personal information can guarantee that it will never experience losses but by ensuring that standards are equivalent to, or exceed, best practice, data subjects will be reassured that all reasonable steps are taken to preserve and protect their information.

1.4. There are new mandatory reporting duties on data controllers and processors to notify the Information Commissioner’s Office (ICO) of data breaches that pose a risk to the rights or freedoms of data subjects, for example risk of identity theft.  Notification should be within 72 hours of becoming aware of the breach or potential breach, failure to notify may result in HTS being subjected to an administrative fine up to 10 million Euros or 2% of global turnover whichever is the higher.   

1.5. Only in exceptional circumstances can the notification be delayed; written justification must be provided of any delay and the possible consequences of the delay in reporting.

1.6. All data breaches must be reported to the HTS Data Protection Officer who is the named contact for the ICO.

1.7. HTS has a separate procedure for employees to follow when a data breach occurs.

2. Scope of policy

2.1. HTS is obliged under Data Protection legislation/GDPR to have a framework in place designed to ensure the security of all personal data during its lifecycle, including clear lines of responsibility which can be found in the HTS Data Breach Reporting Procedure

2.2. HTS employees will process personal data as part of their job and will adhere to the Data Protection legislation/GDPR.

3. Policy Statement

3.1. All users of personal data within HTS have a responsibility to ensure that they process personal data in accordance with the Data Protection legislation/GDPR and the six Data Protection Principles.

3.2. The Principles are that personal data must be processed with:

• lawfulness, fairness and transparency;
• purpose limitation;
• data minimisation, (to only hold the minimum amount of personal data to enable processing);
• accuracy;
• storage limitation (not kept for longer than necessary);
• integrity and confidentiality (that is be securely stored).

3.3. HTS will follow the data processing principles above and have the appropriate technical and organisational security measures in place to minimise the risk of breaches of personal information.

3.4. HTS will have the necessary contract provisions in place with data processors, contractors who process personal data on behalf of HTS, to ensure compliance with the data protection processing principles, and breach notification duties in the GDPR and Data Protection legislation.

3.5. Any employee or member of the public, who has a concern about processing or storage of personal information, should contact the Data Protection Officer at:

Mead Park Industrial Estate
River Way
CM20 2SE


01279 446603