Does the responsible person know what information to record on your breach log? - No
Your business needs to decide how the responsible person records and reviews the facts about actual or potential personal data breaches.
Your log should include:
- its causes;
- what happened;
- the personal data affected;
- the impact of the breach on those affected;
- any steps the business took you took to reduce the consequences on those affected; and
- reasons for deciding whether or not to report it to the ICO.
The responsible person needs to review the information in the breach log with relevant staff regularly. Take into account any ICO recommendations to help you avoid similar incidents happening again.
If new information comes to light about an existing personal data breach, they should update the log and reassess the impact on affected people.
They may need to tell those affected, and they may also need to report the breach to the ICO at this stage, explaining the reason for the delay.