Our Data Breach Procedure

UK Bailiff Services Ltd takes data protection seriously. This guide explains how we handle any personal data incident affecting our clients, their tenants, or third parties — in full compliance with the UK GDPR and Data Protection Act 2018.

Our procedures are tailored to the unique risks of bailiff services, ensuring robust protection for clients and tenants.

We are committed to transparency and accountability. If you have any concerns about your data, please contact our Data Protection Lead — we will investigate promptly and keep you informed.

1. What is a data breach?

A data breach is any incident where personal data is accidentally or unlawfully lost, disclosed, or accessed without permission. Examples include mis-sent emails, lost paperwork, or unauthorised system access.

2. Immediate response actions

• Contain the issue by stopping any further disclosure.
• Securely delete any exposed data or retrieve documents. Secure deletion means: digital wipes (overwrite to NIST/ISO equivalent), encryption key revocation for cloud links, and cross-cut shredding for paper.
• Contact any unintended recipients and confirm deletion.
• Record the event in our secure data breach log.

Breaches involving third-party processors are managed per contractual agreements (Article 28), including prompt notification to UK Bailiffs, incident cooperation, and remedial action plans.

3. When we report to the ICO

We report to the Information Commissioner's Office (ICO) if a data breach is likely to result in a risk to the rights and freedoms of any individual (Article 33). This includes situations where the incident could cause harm, distress, identity theft, financial loss, reputational damage, discrimination, or loss of control over personal data.

Formal risk assessment step: before deciding whether to report, we complete a structured risk assessment considering data sensitivity , volume , likelihood of access or misuse , and potential impacts (identity theft, financial loss, distress, discrimination, reputational harm).

We must notify the ICO within 72 hours of becoming aware of a reportable breach. If the breach is unlikely to pose a risk, it will be recorded internally but not reported.

4. Informing affected clients or individuals

In cases where a breach may cause harm or distress, we inform affected clients or individuals without undue delay, typically within 72 hours of confirming the breach’s scope, providing:

• What happened and when.
• What data was involved.
• Likely consequences (identity theft, financial loss, distress, discrimination, reputational impact, loss of control).
• What we have done to contain and correct it.
• How you can protect yourself and who to contact for help.

We will always provide contact details for our Data Protection Lead to handle any follow-up questions.

5. If you receive information from us by accident

If you receive an email, letter, or attachment from UK Bailiff Services Ltd that you believe was sent to you in error, please help us protect data confidentiality by taking the following actions immediately:

• Do not share, copy, print, or forward the information to anyone else.
• Contact our Data Protection Lead straight away via legal@ukbailiffs.co.uk or call 0330 133 1818.
• Securely delete or destroy the information once instructed to do so (digital wipe or shredding).

6. Our responsibilities if we send information in error

If UK Bailiff Services Ltd sends personal information to the wrong recipient, we treat this as a personal data breach and take the following steps:

• Contain and mitigate: attempt message recall, revoke access/links, request immediate secure deletion and written confirmation.
• Document: record the incident in our breach log (what happened, data involved, actions taken, decision-making).
• Assess risk: apply the severity matrix and risk criteria.
• Report to the ICO when required: notify within 72 hours if risk is likely.
• Notify affected individuals when required (Article 34): without undue delay, in clear language.
• Learn and prevent: root cause analysis and corrective actions (training, controls, processes).

7. Proactive prevention and improvement

• All staff complete mandatory data protection training.
• Email and document controls are in place to prevent unauthorised sharing.
• Our systems are regularly reviewed for security compliance.
• We audit our breach log quarterly to identify trends and improvements.
• Conduct annual data breach simulation exercises to test response protocols and staff readiness.
• Third-party breach protocol: we require processors to notify us without undue delay, provide incident reports and logs, assist with containment/notification, and implement corrective actions under our contracts.

We monitor breach response metrics to drive continuous improvement in our data protection practices.

This policy is reviewed annually or following significant regulatory updates to maintain compliance.

Reach our Data Protection Lead

For any data protection concerns, please contact:
Email: privacy@ukbailiffs.co.uk
Telephone: 0330 133 1818
For urgent inquiries, you may also use our secure online portal at www.ukbailiffs.co.uk/contact.

Changelog (v2.3)

• Added secure deletion definition and examples.
• Inserted formal risk assessment step and severity matrix.
• Expanded impact categories per ICO guidance.
• Referenced Articles 33 and 34 (reporting and notification).
• Strengthened third-party breach protocol.
• Added public reassurance statement.

Version: v2.3 • Owner: Data Protection Lead • Last updated: 27 October 2025