UK GDPR Articles 33 & 34 · Document version 1.0 · Last updated: 11 May 2026
| Severity | Definition | Examples | Initial response SLA |
|---|---|---|---|
| SEV-1 (Critical) | Confirmed unauthorised access to user data; service-wide outage exposing data; loss of integrity affecting many users. | Database leak, refresh-token dump, full Settings page returns another user’s data. | 15 minutes |
| SEV-2 (High) | Localised data exposure; vulnerability exploitable without auth; significant degradation. | IDOR exposing one mailbox to another user, leaked API key in client bundle. | 1 hour |
| SEV-3 (Medium) | Vulnerability requiring authentication or chain; non-data-leaking outage. | XSS reflected in admin tool, partial Gmail sync failure, expired TLS cert. | 4 hours |
| SEV-4 (Low) | Hardening issue, no immediate user impact. | Missing security header, info-disclosure of stack version. | Next business day |
| T+ | Action | Owner |
|---|---|---|
| 0–15 min | Triage: confirm signal, classify severity, open incident channel, freeze deploys. | On-call engineer |
| 15–60 min | Contain: revoke tokens / rotate keys / block IPs / disable affected feature flag. | On-call engineer |
| 1–4 h | Forensics: capture logs & snapshots, estimate categories of data and number of subjects affected. | On-call + director |
| 4–24 h | Decision: does this meet the “risk to rights and freedoms” threshold? If yes, prepare ICO notification. | Director (controller) |
| ≤ 72 h | Notify the ICO via the online breach-report form. Include nature, categories, approximate number of subjects/records, consequences and measures. | Director |
| ≤ 72 h (where required) | Notify affected data subjects under Art. 34 if “high risk”. Plain-language email with what happened, what we know, what they should do, and how to contact us. | Director + on-call |
| 5–10 days | Post-incident review (blameless). Root cause, timeline, action items, prevention. Filed in the compliance binder. | Entire team |
Pre-approved holding statements are stored in the compliance binder for: (i) user comms, (ii) status-page comms, (iii) press enquiry. They are populated with incident-specific facts at T+4h.
Scheduled twice per year. Scenarios rotate between: database leak, OAuth token compromise, supply-chain compromise of an upstream dependency, and ransomware on a developer endpoint. Outcomes feed back into this runbook.