OMNIAInclusion

Breach notification SOP

Last updated · 1 June 2026Version 1.1OMNIA Inclusion Ltd · Co. no. 17228173
Ask a question

Personal-Data Breach Notification SOP

Pre-drafted templates and workflow for notifying the UAE Data Office, the UK ICO, and affected Schools in the event of a personal-data breach.

Version: 1.1 Last updated: 1 June 2026 Owner: OMNIA Inclusion Ltd — Data Protection lead

Under stress, you fill in blanks — you do not write prose. This SOP exists so a breach response on a Friday night is a 60-minute exercise, not a 6-hour one.

Statutory deadlines

AuthorityDeadlineTrigger
UAE Data Office"Without undue delay" (PDPL Art. 9) — treat as 72 hoursBreach affecting UAE data subjects
UK ICO72 hours from awareness (UK GDPR Art. 33)Breach affecting UK data subjects
Affected School (controller)Without undue delay — treat as 24 hours from OMNIA awareness (DPA + UAE Addendum §2.3(c))Any confirmed or suspected breach affecting that School's data
Affected data subjectsWithout undue delay, where high risk (PDPL Art. 9; UK GDPR Art. 34)Controller (School) decides, OMNIA assists

BYOK incidents. Where an incident is confined to a school's own Anthropic or Azure OpenAI tenancy (e.g. a key leak the school is investigating), the School is the controller for that incident and notifies regulators directly. OMNIA assists with the OMNIA-side audit trail (which prompts left OMNIA, when, for which pupils) but does not hold the provider-side logs. If the incident touches OMNIA-held data as well, both controller and processor notifications run in parallel under the timetable above.

Phase 1 — Detection (0–1 hour)

  1. Person who detects: post in #sec-incident (Slack) and email dpo@omnia-inclusion.com.
  2. DP lead opens an incident ticket with:
    • Detection time + detector name
    • Nature of suspected breach (confidentiality / integrity / availability)
    • Systems involved
    • Affected schools (tenant IDs) — preliminary
  3. Engage on-call engineer to contain.

Phase 2 — Containment (1–4 hours)

  1. Isolate affected systems / revoke compromised credentials.
  2. Preserve logs (audit_logs, system_audit_logs, Cloudflare logs, Supabase logs).
  3. Stop further data loss. Do not delete evidence.
  4. Snapshot the affected database tables.

Phase 3 — Assessment (4–24 hours)

Complete the assessment grid:

QuestionFinding
What data was affected? (category, volume)
Was special-category data affected? (SEND, health)
How many data subjects?
Which Schools / tenants?
Was data exfiltrated, or only accessed?
Is data recoverable / has it been restored?
Likelihood of harm to data subjects? (low / medium / high)
Root cause (preliminary)?

Phase 4 — Notification (within 24 hours to Schools; 72 hours to regulators)

Use the templates below verbatim — fill bracketed fields only.

Template A — Notice to affected School DPO (within 24 hours)

Subject: URGENT — OMNIA personal-data incident notification — [SCHOOL NAME]

Dear [DPO name],

We are writing to notify you, in our capacity as data processor, of a personal-data incident affecting data we process on your behalf. This notification is given under [DPA clause X] and §2.3(c) of the UAE Jurisdiction Addendum.

Time of detection: [TIMESTAMP, UTC + local] Nature of incident: [Confidentiality breach / integrity breach / availability breach] Cause (preliminary): [e.g. compromised admin credential; misconfigured access rule] Data categories affected: [e.g. pupil names, DOBs, SEND diagnoses] Approximate number of data subjects affected: [N] Special-category data affected? [Yes / No — detail] Containment status: [Contained at HH:MM UTC / In progress] Data exfiltrated? [Confirmed yes / No evidence of exfiltration / Under investigation]

Likely consequences: [e.g. unauthorised disclosure of SEND status to party X; risk of distress to affected families]

Mitigation steps taken by OMNIA:

  • [Step 1]
  • [Step 2]
  • [Step 3]

Recommended actions for the School (as controller):

  • Notify the UAE Data Office within 72 hours of awareness (PDPL Art. 9). As your processor we will support this notification with the technical detail set out above.
  • Consider notifying affected data subjects directly where there is a high risk to their rights and freedoms.
  • [Any school-specific recommendation, e.g. force-reset staff passwords]

OMNIA point of contact for this incident: [Name], DP lead — dpo@omnia-inclusion.com — +44 [NUMBER]

We will provide written updates at least every 24 hours until the incident is closed, and a full post-incident report within 14 days.

Yours sincerely,

[Name] Data Protection Lead OMNIA Inclusion Ltd

Template B — Notice to UAE Data Office (within 72 hours)

Submitted via dataoffice.gov.ae online portal. The free-text section follows this structure.

  1. Reporting entity: OMNIA Inclusion Ltd (processor) on behalf of [School name] (controller, UAE-based).
  2. Time of incident: [TIMESTAMP]
  3. Time of detection: [TIMESTAMP]
  4. Nature of breach: [Confidentiality / integrity / availability]
  5. Description of incident: [3–5 sentences, factual]
  6. Categories of data affected: [List]
  7. Categories of data subjects affected: [e.g. pupils, parents, staff]
  8. Approximate number affected: [N]
  9. Likely consequences: [Risk assessment]
  10. Measures taken: [Containment + mitigation]
  11. Measures proposed: [Remediation roadmap]
  12. Contact: [Name, email, phone]

Template C — Notice to UK ICO (within 72 hours, if UK data subjects affected)

Submitted via ico.org.uk online form. Same structure as Template B, adjusted for UK GDPR Art. 33 fields.

Template D — Notice to affected data subjects (issued by School, drafted by OMNIA on request)

Dear [parent / guardian / staff member],

We are writing to inform you of a recent incident at [School name] involving some of your personal information. We are giving you this notice so you can take any steps you think appropriate to protect yourself.

What happened: [Plain-English description, 2–3 sentences] What information was involved: [List] When it happened: [Date] What we are doing about it: [3 bullets] What you can do: [If applicable — e.g. reset password, watch for phishing] Who to contact: [School DPO contact]

We are sorry this has happened. We have notified the UAE Data Office and are working with our technology provider, OMNIA Inclusion Ltd, to ensure this cannot happen again.

[School name]

Phase 5 — Post-incident review (within 14 days)

  1. Root-cause analysis (5 whys).
  2. Remediation plan with owners and dates.
  3. Lessons-learned write-up shared with all Schools (sanitised).
  4. Update of this SOP if any gap was identified.
  5. Update of DPIA if the incident reveals a previously unidentified risk.

Drill schedule

  • Tabletop exercise every 6 months.
  • Restore-from-backup test every 3 months.
  • Credential rotation every 90 days.

Questions, corrections or a formal data-protection request? Email hello@omnia-inclusion.com. We aim to respond within 5 working days; statutory rights requests are answered within 30 days.

Back to all policies

© 2026 OMNIA Inclusion Ltd. Registered in England & Wales · Company no. 17228173 · 169 High Street, Marske-by-the-Sea, Redcar & Cleveland, TS11 7LN, United Kingdom.