Last Updated at 2025-Aug

1. Purpose

This Incident Response Policy outlines the responsibilities and procedures for identifying, reporting, and managing security incidents that may affect the confidentiality, integrity, and availability of BrainPayroll's information and systems. The policy aims to minimize the impact of incidents on data subjects, comply with legal requirements, and restore services promptly.

2. Scope

This policy applies to all BrainPayroll employees, contractors, and third parties, including data processors and sub-processors, who handle personal data on behalf of BrainPayroll. It covers the reporting and management of security incidents globally, with specific emphasis on compliance with the UK GDPR and the Data Protection Act 2018.

3. Policy Statement

BrainPayroll is committed to safeguarding the security of its information and systems. All individuals with access to BrainPayroll resources are required to immediately report any suspected or confirmed security incidents, including Personal Data Breaches, to securityincidents@brainpayroll.co.uk. Our incident response procedures ensure a swift, effective, and compliant response to incidents. Key elements of the policy include:

• Incident Detection and Reporting: Processes are in place to promptly detect and report security incidents.
• Incident Management: Authorized personnel manage incidents, ensuring thorough investigation, containment, and remediation.
• Documentation: Maintaining detailed records of all incidents in compliance with Article 33(5) of the UK GDPR for internal and external audits.
• Assessment and Review: Incidents are evaluated to identify patterns and risks for continuous improvement of response strategies.
• External Notification: BrainPayroll adheres to legal requirements for notifying authorities (ICO) and affected Data subjects and customers.
• Periodic Testing and Training: Regular testing of incident handling procedures and ongoing training for employees help maintain preparedness.

4. Incident Handling Process

The incident handling process follows a structured approach based on industry standards:

• Preparation: BrainPayroll trains employees and conducts regular exercises to maintain a state of readiness.
• Identification: All personnel are encouraged to report incidents immediately. Automated monitoring tools also help identify potential security events.
• Containment: Immediate actions are taken to contain the incident and prevent further damage.
• Eradication: Efforts focus on eliminating the root cause of the incident.
• Recovery: Systems are restored to normal operation following thorough testing.
• Lessons Learned: A review is conducted to learn from the incident and improve future response.

5. Personal Data Breach Response (UK GDPR Compliance)

In the event of a Personal Data Breach, the Data Protection Officer (DPO), in consultation with the Office of General Counsel, will determine the necessity and timing of notifications to supervisory authorities and/or data subjects. This assessment will be completed within 24 hours of breach discovery. The decision process includes the following:

• Notification to the ICO: If the breach is likely to result in a risk to the rights and freedoms of Data Subjects, the ICO will be notified within 72 hours of discovery. The notification will include:
• A description of the nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects and Personal Data records affected.
• Contact details for the DPO or other designated contact for more information.
• The likely consequences of the breach.
• Measures taken or proposed to address the breach, including mitigation efforts.
• Notification to Data Subjects: If a breach presents a high risk to individuals, those affected will be notified without undue delay. Notifications will explain the incident, the data affected, protective actions taken, and any additional steps individuals should take.
• A description of the nature of the breach, including the categories and number of data subjects affected.
• Contact details for the DPO or other designated contact for more information.
• Potential consequences of the breach.
• Measures taken or planned to mitigate adverse effects.
• Recommended actions Data Subjects should take to protect themselves.

Timing of Notifications:

Notifications will be made as soon as reasonably possible. Any delay will be documented and justified. In cases where law enforcement advises that notification could impede a criminal investigation, delays may be granted until clearance is given.

6. Supplier Breach Notification

If a breach occurs involving a third-party supplier that processes Personal Data or provides services on behalf of BrainPayroll, the following steps will be taken:

• Supplier's Obligations: All suppliers are contractually required to notify BrainPayroll of any actual or suspected security incident or Personal Data Breach without undue delay, ideally within 24 hours.
• Internal Assessment: The Incident Response Team, in coordination with the DPO and CISO, will assess the nature and extent of the supplier's breach.
• Notification to the ICO: If the supplier's breach involves Personal Data and is likely to result in a risk to the rights and freedoms of Data Subjects, BrainPayroll will notify the ICO within 72 hours of becoming aware of the breach.
• Notification to Affected Data Subjects: If the breach is likely to result in a high risk to the rights and freedoms of Data Subjects, BrainPayroll will notify affected individuals without undue delay.
• Coordination with the Supplier: BrainPayroll will work closely with the supplier to gather detailed information about the breach, ensure containment and mitigation measures are taken, and confirm the steps being implemented to prevent recurrence.
• Review of Supplier Agreements: Following the incident, BrainPayroll will review the supplier's security measures and may amend contractual terms or implement additional controls to strengthen data protection requirements.

7. Customer Notification

BrainPayroll is committed to keeping customers informed during a security incident. Notifications will be sent to affected individuals via email or postal mail, as appropriate. Additional updates may be provided through the customer portal or dedicated support channels.

8. Compliance and Legal Requirements

BrainPayroll adheres to the UK GDPR and Data Protection Act 2018. The policy ensures compliance with obligations to notify the ICO and affected Data Subjects in the event of a Personal Data Breach.

9. Post-Incident Review and Continuous Improvement

Following a major incident, a review will be conducted to assess the root cause, the effectiveness of the response, and areas for improvement. Recommendations will be documented, and necessary updates to policies, procedures, or technologies will be implemented.

10. Review and Updates

This policy is reviewed at least annually and whenever significant changes to the regulatory environment, business operations, or incident-handling processes occur. Updates are made to reflect the latest industry practices and compliance requirements.

11. Contact Information

For inquiries related to this policy, contact the Data Protection Officer at:

Email: dataofficer@brainpayroll.co.uk