Its is not as bad as the title might suggest: I am currently working on an Incidence Response Plan for my UK based employer and want to make sure we have procedures covered if any incident of data theft would occur.
I am particularly interested to find out if there is any legal obligation to notify involved parties for smaller companies (around 20 employees)
This will be in two different kinds of scenarios: we might have customer data from one of our clients which would include only contact details of some of their customers. If there was a breach and no contractual agreement stating we have to tell our client, do we have to notify them as part of a legal obligation? (I know ethically speaking we should, but I also try to ensure legal compliance within my means, Google was no great help)
And No 2, the case where a third party would have...