The ICO exists to empower you through information.

Business continuity management

Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.

Contents

Have business continuity and disaster recovery plans in place so you can take appropriate and timely actions to protect personal information from further loss of confidentiality, integrity or availability.

Options to consider:

Formally document plans for business continuity and disaster recovery.

Periodically review, test and update plans.
Ask senior staff to authorise the plans.
Define and document roles and responsibilities for staff involved in business continuity and disaster recovery.

Train all staff on what to do in the event of a systems or network outage.
Test business continuity and disaster recovery plans to ensure they remain up-to-date and fit for purpose.

Conduct lessons learned activities to identify and understand any changes you need to make to the plans.