DATA BREACH POLICY
Under Article 33 of the General Data Protection Regulations (GDPR) there is a legal obligation for companies to report significant data breaches to the Regulator. Companies must also report certain breaches to individuals affected by a breach.
The purpose of this policy is to set out the procedures that Skene Enterprises (Aberdeen) Ltd. (herein referred to as “the Company”) will adhere to in response to a data breach. The policy will ensure that any data breach is appropriately logged, managed and reported as per Article 33 of GDPR.
Review And Update Of The Policy
This policy will be reviewed, at least annually, by the Compliance Team to ensure the business meets its compliance with any changes or amendments to relevant legislation, or in response to a data breach.
Purpose And Scope
The Company is obliged under the GDPR to have in place a procedure to ensure the security of all personal data, including clear lines of responsibility.
This policy sets out the procedure to be followed to ensure a consistent and effective approach is in place for managing a data breach in relation to GDPR.
This policy relates to all personal and sensitive data held by the Company regardless of format (such as soft or hard copies).
This policy applies to all staff employed by Skene Enterprises (Aberdeen) Ltd. This includes temporary, casual or agency staff and contractors, consultants, suppliers and data processors working for, or on behalf of Skene Enterprises (Aberdeen) Ltd.
The objective of this policy is to contain any breaches, to minimise the risk associated with the breach and consider what action is necessary to secure personal data and prevent further breaches.
Definitions / Types Of Breach
Current data legislation defines a data breach as “a breach of security leading to the unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.”
A breach includes but is not limited to the following:
- loss or theft of personal or sensitive data or equipment on which such data is stored (e.g. loss of laptop, portable hard drive, tablet device, or paper record);
- unauthorised use of, access to or modification of data or information systems;
- attempts to gain unauthorized access to information or IT system(s);
- unauthorised disclosure of personal / sensitive data;
- human error where personal data is disclosed, lost or stolen (deliberate or accidental)
- ‘blagging’ offences where information is obtained by deceiving the organisation who holds it.
INCIDENT RESPONSE AND INVESTIGATION
Employees are expected to report any data breach to the Site/Duty Manager by contacting Reception as soon as the breach has been discovered.
The Site/Duty Manager should report the details of the incident including when the breach occurred (dates and times), who is reporting it, the nature of the information and how many individuals are involved. Section 1 of the Incident Response Form (see Appendix A) should be completed as part of the reporting process and sent to the Compliance Team.
The Compliance Team will determine if the breach is still occurring and if so, the appropriate steps will be taken immediately to minimise the effect of the breach.
The Compliance Team will conduct an initial assessment and establish who may need to be notified and will inform the Information Commissioner’s Office (ICO) and all other parties involved, where appropriate. Section 2 of the Incident Response Form will be completed during this stage. You must notify the ICO “where a breach is likely to result in a risk to the rights and freedoms of individuals”. For example, if the breach could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.
The investigation will need to take into account the following:
- the categories of personal data involved.
- the sensitivity of the data involved.
- the likely consequences of the breach.
- data subject(s) affected by the breach, number of individuals involved and the potential effects on those data subject(s).
- how you intend to deal with the breach.
The Compliance Team will notify the ICO within 72 hours of becoming aware of the breach if the investigation determines that this is required (see Appendix B for template). Individuals whose personal data has been affected by the breach, and where it has been considered likely to result in a high risk of adversely affecting that individual’s rights and freedoms, will be informed without undue delay. (see Appendix C for template).
Once the breach has been contained and all parties notified where applicable, the Compliance Team will meet to carry out a full review of the causes and results of the breach; the effectiveness of the response(s) and whether any changes to systems, policies and procedures should be undertaken. Section 3 of the Incident Response Form should be completed at this stage.
If deemed necessary, a report recommending any changes to systems, policies and procedures will be submitted to the Company Directors for consideration.
The Compliance Team contact details are as follows:-
Director & General Manager/Compliance Officer