1. Purpose
This Notification Policy outlines the procedures PCVdigital Limited (“PCVdigital”) will follow to ensure compliance with the UK General Data Protection Regulation (UK GDPR) regarding the notification of personal data breaches to the Information Commissioner’s Office (ICO) and affected data subjects.

2. Scope
This policy applies to all employees, contractors, and third parties acting on behalf of PCVdigital who have access to personal data held or processed by the company.

3. Definition of a Personal Data Breach
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed. Examples include:
·         Loss or theft of data or equipment
·         Unauthorised access to data
·         Data sent to the wrong recipient
·         Malware or ransomware attacks

4. Breach Detection and Reporting
If any member of PCVdigital suspects a data breach, or if a customer contacts us about a suspected data breach, it must be reported immediately to PCVdigital’s Data Protection Officer (DPO). The report should include:
·         Date and time the breach was discovered
·         Description of the breach
·         Type and amount of personal data involved
·         Actions taken so far

5. Assessment and Risk Evaluation
Upon receipt of a breach report, the DPO will undertake an Assessment and Risk evaluation referring to the PCVdigital Data Breach Assessment Process. This process includes:
·         Assessing the nature, sensitivity, and volume of data involved
·         Determining the likelihood and severity of risk to individuals’ rights and freedoms
·         Documenting the findings and maintaining a breach register

6. Notification to the ICO
Where a personal data breach is likely to result in a risk to the rights and freedoms of individuals, PCVdigital will notify the ICO without undue delay and, where feasible, within 72 hours of becoming aware of the breach. The notification to the ICO will include:
·         Description of the nature of the breach
·         Categories and approximate number of individuals and data records affected
·         Contact details of the DPO
·         Likely consequences of the breach
·         Measures taken or proposed to address the breach

7. Notification to Affected Individuals
If the breach is likely to result in a high risk to the rights and freedoms of individuals, PCVdigital will inform the affected individuals without undue delay, using clear and plain language. The communication will include:
·         A description of the nature of the breach
·         Contact details for further information
·         Likely consequences of the breach
·         Steps taken or proposed to address and mitigate the effects

8. Record-Keeping
All breaches, regardless of whether they are reported to the ICO, will be recorded in the Data Breach Register, maintained by the DPO. The register will include:
·         Details of the breach
·         Actions taken
·         Outcomes and lessons learned

9. Review and Training
This policy will be reviewed annually or after any significant breach or change in legislation. All relevant personnel will receive training on breach detection and notification procedures as part of their GDPR training.

Contact
For any questions related to this policy, please contact:
Data Protection Officer
Email: data@pcvdigital.com

© 2025 PCVdigital Limited.