1.1 Richard Judd, Company’s Data Protection Officer OR Stuart Lynch, Managing Partner shall begin an investigation of a data breach as soon as is reasonably possible after receiving a Data Breach Report Form (or being notified in any other way) and, in any event, within 24 hours of the data breach being discovered and/or reported.
1.2 Investigations and assessments must take the following into account:
a) the type(s) of data involved (and, in particular, whether the data is personal data or sensitive personal data);
b) the sensitivity of the data (both commercially and personally);
c) what the data breach involved;
d) what organisational and technical measures were in place to protect the data;
e) what might be done with the data as a result of a breach (including unlawful or otherwise inappropriate misuse);
f) where personal data is involved, what that personal data could tell a third party about the data subjects to whom the data relates;
g) the category or categories of data subject to whom any personal data relates;
h) the number of data subjects (or approximate number if calculating an exact number is not reasonably practicable) likely to be affected by the data breach;
i) the potential effects on the data subjects involved;
j) the potential consequences for the Company;
k) the broader consequences of the data breach, both for data subjects and for the Company;
1.3 The results of the investigation and assessment described above must be recorded in the Company’s Data Breach Register.
1.4 Having completed the investigation and assessment described above, Richard Judd, Company’s Data Protection Officer OR Stuart Lynch, Managing Partner shall determine the parties to be notified of the breach as described in Part 7, below.
2. Notification
2.1 Richard Judd, Company’s Data Protection Officer OR Stuart Lynch, Managing Partner shall determine whether to notify one or more of the following parties of the breach:
a) affected data subjects;
b) the ICO;
c) the police;
d) the Company’s insurers;
e) affected commercial partners;
2.2 When considering whether (and how) to notify individual data subjects in the event of a personal data breach, the following should be considered:
a) the likelihood that data subjects’ rights and freedoms as set out in the GDPR (and the Company’s Data Protection Policy) will be adversely affected;
b) whether there is a legal or contractual requirement to notify;
c) whether measures in place to protect the affected personal data (e.g. pseudonymisation or encryption) have been applied, thereby rendering the data unusable to any unauthorised parties;
d) whether measures have been taken following the data breach that will ensure that a high risk to the rights and freedoms of affected data subjects is no longer likely to occur;
e) the benefits to data subjects’ of being notified (e.g. giving them the opportunity to mitigate the risks posed by the data breach);
f) whether notifying individuals will involve disproportionate effort (in which case a public communication or other widely available notice may suffice, provided that affected data subjects will still be informed effectively);
g) the best way of notifying data subjects, taking into account the urgency of the situation and the security of the possible methods;
h) any special considerations applicable to certain categories of data subject (e.g. children or vulnerable people);
i) the information that should be provided to affected data subjects;
j) how to make it easy for affected data subjects to contact the Company to find out more about the data breach;
k) further assistance that the Company should provide to the affected data subjects, where appropriate;
l) the risks of over-notifying – not all data breaches require notification and excessive notification may result in disproportionate work and numbers of enquiries from individuals;
2.3 When individuals must be informed of the breach without undue delay. Individuals shall be provided with the following information:
individual data subjects are to be informed of a data breach, those
a) a user-friendly description of the data breach, including how and when it occurred, the personal data involved, and the likely consequences;
b) clear and specific advice, where relevant, on the steps individuals can take to protect themselves;
c) a description of the measures taken (or proposed to be taken) to address the data breach including, where relevant, measures taken to mitigate any possible adverse effects;
d) contact details for Richard Judd, Company’s Data Protection Officer OR Stuart Lynch, Managing Partner from whom affected individuals can obtain further information about the data breach.
2.4 When considering whether (and how) to notify the ICO of a data breach, the following should be considered:
a) the risk and potential harm to data subjects, their rights, and freedoms – harm can include (but is not limited to) financial harm, physical harm, loss of control over personal data, discrimination, identity theft or fraud, damage to reputation, and emotional distress;
b) the volume of personal data involved – the ICO should be notified if a large volume of data is involved and there is a real risk of data subjects suffering harm as a result, however it may also be appropriate to notify the ICO if a smaller amount of high-risk data is involved;
c) the sensitivity of the data involved – the more sensitive the personal data is, the less the volume of it is relevant and if the data breach presents a significant risk of data subjects suffering substantial detriment or distress, the ICO should be notified.
2.5 If the ICO is to be notified of a data breach, this must be done within 72 hours of becoming aware of the breach, where feasible. This time limit applies even if complete details of the data breach are not yet available. The ICO must be provided with the following information:
a) the category or categories and the approximate number of data subject whose personal data is affected by the data breach;
b) the category or categories and the approximate number of personal data records involved;
c) the name and contact details of Richard Judd, Company’s Data Protection Officer OR Stuart Lynch, Managing Partner from which the ICO can obtain further information about the data breach;
d) a description of the likely consequences of the data breach; and
e) a description of the measures taken (or proposed to be taken) to address the data breach including, where relevant, measures taken to mitigate any possible adverse effects.
2.6 The police may have been contacted at an earlier point in the data breach procedure (see 5.2), however further investigation may reveal that the data breach resulted from a criminal act, in which case the police should be further informed.
2.7 Records must be kept of all data breaches, regardless of whether notification is required. The decision-making process surrounding notification should be documented and recorded in the Company’s Data Breach Register.
3. Evaluation and Response
3.1 When the steps set out above have been completed, the data breach has been contained, and all necessary parties notified, Richard Judd, Company’s Data Protection Officer OR Stuart Lynch, Managing Partner shall conduct a complete review of the causes of the data breach, the effectiveness of the measures taken in response, and whether any systems, policies, or procedures can be changed to prevent data breaches from occurring in the future.
3.2 Such reviews shall, in particular, consider the following with respect to data (and in particular, personal data) collected, held, and processed by the Company:
a) where and how data is held and stored;
b) the current organisational and technical security measures in place to protect data and the risks and possible weaknesses of those measures;
c) the methods of data transmission for both physical and electronic data and whether or not such methods are secure;
d) the level of data sharing that takes place and whether or not that level is necessary;
e) whether any data protection impact assessments need to be conducted or updated;
f) staff awareness and training concerning data protection;
3.3 Where possible improvements and/or other changes are identified, Richard Judd, Company’s Data Protection Officer OR Stuart Lynch, Managing Partner shall liaise with the relevant staff and/or departments with respect to the implementation of such improvements and/or changes.
4. Policy Review and Implementation
This Policy will be updated as necessary to reflect current best practice, official guidance, and in line with current legislation.
4.2 This Policy shall be deemed effective as of 01/03/2020 No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.