How to develop a data breach response plan

Data breaches are becoming more frequent. In fact, barely a week goes by without a headline crying out that a company has had the personal information it holds about clients, suppliers and employees subjected to some type of unauthorised access.

According to the Office of the Australian Information Commissioner (OAIC), every business should have a data breach response plan in place. Don’t wait until the breach occurs. Be prepared. What you do in the first 24 hours following the discovery of a data breach has the potential to minimise the costs of the breach and the impact on the affected individuals.

First things first - what exactly is a data breach response plan?

The OAIC describes it as a framework that outlines the roles and responsibilities of key people who would be involved in providing the appropriate response in the event of a breach. The plan should be written down and regularly reviewed. It should also be shared with staff and tested from time to time, to ensure everyone is clear on what to do.

Research suggests, infrequent reviews of data breach response plans impede the effectiveness of those plans. In other words, don’t set it and forget it. Ensure your plan is an active document and one that evolves with your business.

Allocating roles and responsibilities

Another key thing to consider is, when developing your plan and allocating roles and responsibilities, ensure your team members have the capabilities to take on the tasks given to them. It’s likely you’ll need to nominate a team leader, project manager and privacy officer as well as needing legal, risk management, ICT, information and records management, HR and media/communications support.

Include the contact details of your team, and keep those details up-to-date. You should also nominate a primary and secondary contact for each role; this means you have a back-up in the event that the primary contact is unavailable.

    Should your business be faced with a data breach, your response team will first need to contain the breach and complete a preliminary assessment. The risks associated with the breach will need to be evaluated, and all relevant parties notified. Steps will then need to be taken to prevent future breaches.

    More information on developing a data breach response plan is available on the OAIC website, including a checklist. Use the checklist to determine whether your new or existing data breach plans are comprehensive.

      If you need any assistance with your cyber strategy or breach notification policy or you don't know where to start please call us on 1300 478 738 or email us at

      About the Author

      Geoff Stewart is a highly experienced and skilled Technology Director at Surety IT. His knowledge is based on years of industry experience having created customised, stable, well performing systems both for multi-national companies in the UK and Australia and Surety IT customers.

      Surety IT can help you create the right system to enhance your business, ensuring you know how it is right for you and how to use it. We will tailor a solution to suit your needs with leading systems, local support and more, building your vision for a more flexible and capable business.

      Call us today on 1300 478 738 or email to discuss your requirements.