Title: Breach Notification Procedure
Document ID: [PROC-BREACH-001]
Version: 0.1 Draft
Status: Draft
Owner: CISO (Paul Jenkins)
Approver: CISO (Paul Jenkins)
Classification: Internal
Effective date: [DD Month YYYY]
Review date: [DD Month YYYY]

# Breach Notification Procedure

## Purpose

This procedure defines how BlackDice should assess and manage notification obligations arising from suspected or confirmed personal data breaches or other reportable security incidents.

## Scope

This procedure applies to incidents that may trigger legal, regulatory, contractual, customer, or other formal notification obligations.

## Trigger / When Used

Use this procedure when:

- an incident may involve personal data compromise
- contractual notification requirements may apply
- customer-owned or supplier-shared information may be affected
- there is uncertainty about whether notification obligations exist

## Procedure Steps

1. Receive escalation from incident handling or another authorised source.
2. Confirm the nature of the incident, the information involved, and the affected parties or environments.
3. Assess whether legal, regulatory, contractual, customer, or supplier notification obligations may apply.
4. Identify relevant deadlines, approval requirements, and required content for notification.
5. Coordinate internal review with appropriate stakeholders, including security, privacy, legal, management, and customer-facing roles as needed.
6. Prepare and issue notification through the approved channel where notification is required.
7. Record the decision, rationale, timing, recipients, and any follow-up obligations.
8. Update the underlying incident record and track resulting actions to completion.

## Inputs

- incident details and severity assessment
- affected data or service information
- contractual and regulatory obligations
- stakeholder review input

## Outputs / Records

- notification decision record
- issued notification or documented no-notification rationale
- approval evidence
- follow-up action record

## Roles and Responsibilities

- [Role] must coordinate notification assessment and execution.
- Incident handlers must escalate potentially notifiable incidents promptly.
- Relevant stakeholders must review obligations and approve content where required.

## Escalation / Exceptions

Escalate immediately where:

- notification deadlines may be at risk
- facts are incomplete but harm may be ongoing
- a customer or regulator has already made contact
- multiple jurisdictions or conflicting obligations may apply

This procedure must not be interpreted as legal advice. Legal review should be obtained where appropriate.

## Related Documents

- Incident Response Policy
- Security Incident Handling Procedure
- Privacy and Data Protection Policy
- Information Transfer Policy

## Version Control

| Version | Date | Description of Change | Author |
| --- | --- | --- | --- |
| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |