Why have this procedure?
As of 25 May 2018, the UK’s, and Europe’s, laws regarding data protection will undergo a substantial change as a result of the General Data Protection Regulation (GDPR), and the Data Protection Act 2018 which is the UK’s legislation mirroring GDPR.
Amongst the many changes brought about by GDPR and the Data Protection Act 2018, one of the most notable is the obligation on businesses to pro-actively monitor and report on data breaches. This involves maintaining a register of breaches and, in certain circumstances, notifying the Information Commissioner’s Office (the ICO) and, sometimes, the data subjects themselves, that data has been lost. In addition, the deadlines for notifying the ICO of breaches are very short and failures to respond within the set deadlines or with the correct information could lead to substantial fines and reputational damage for DVW.
By following this simple process we can ensure that any data breaches that may occur are dealt with by the appropriate people within DVW and within the timescales set out in the law.
Amongst the many changes brought about by GDPR and the Data Protection Act 2018, one of the most notable is the obligation on businesses to pro-actively monitor and report on data breaches. This involves maintaining a register of breaches and, in certain circumstances, notifying the Information Commissioner’s Office (the ICO) and, sometimes, the data subjects themselves, that data has been lost. In addition, the deadlines for notifying the ICO of breaches are very short and failures to respond within the set deadlines or with the correct information could lead to substantial fines and reputational damage for DVW.
By following this simple process we can ensure that any data breaches that may occur are dealt with by the appropriate people within DVW and within the timescales set out in the law.
What is a Data Breach?
According to the ICO, a data breach is:
“A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service.”
In short, it’s where personal data we are holding is lost or seen by someone who isn’t entitled to see it.
“A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service.”
In short, it’s where personal data we are holding is lost or seen by someone who isn’t entitled to see it.
Are There Different Categories of Breach?
For the purposes of this policy, DVW has split potential breaches into three categories, which are as follows:
Minor Breaches – this is where the amount of data exposed is minimal and is not of a sensitive nature, meaning that the persons who are subject to the breach are unlikely to feel their rights have been unduly affected by the exposure. An example of a minor breach could be sending an email to the wrong person. Minor breaches will be recorded on DVW’s breach register but not reported to the ICO.
Serious Breaches – this is where a large amount of data is exposed, or some of the data that has been exposed could be seen as sensitive with the result that the persons who are subject to the breach are likely to feel their rights have been adversely affected by the exposure. An example of a serious breach could be sending a marketing email with all recipients’ contact details being visible to everyone. Repeated minor breaches of the same nature can also amount to a serious breach. Serious breaches will be recorded on DVW’s breach register and reported to the ICO without delay.
Major Breaches – this is where a substantial amount of data is exposed, or, the data that has been exposed is highly sensitive (such as employee medical records) with the result that the persons subject to the breach feel their rights have been significantly affected by the exposure. Major breaches will be recorded on DVW’s breach register and reported to the ICO without delay. DVW will also notify all affected data subjects informing them of the breach, how it has happened and what DVW will do to rectify the breach and stop it from happening in the future.
Minor Breaches – this is where the amount of data exposed is minimal and is not of a sensitive nature, meaning that the persons who are subject to the breach are unlikely to feel their rights have been unduly affected by the exposure. An example of a minor breach could be sending an email to the wrong person. Minor breaches will be recorded on DVW’s breach register but not reported to the ICO.
Serious Breaches – this is where a large amount of data is exposed, or some of the data that has been exposed could be seen as sensitive with the result that the persons who are subject to the breach are likely to feel their rights have been adversely affected by the exposure. An example of a serious breach could be sending a marketing email with all recipients’ contact details being visible to everyone. Repeated minor breaches of the same nature can also amount to a serious breach. Serious breaches will be recorded on DVW’s breach register and reported to the ICO without delay.
Major Breaches – this is where a substantial amount of data is exposed, or, the data that has been exposed is highly sensitive (such as employee medical records) with the result that the persons subject to the breach feel their rights have been significantly affected by the exposure. Major breaches will be recorded on DVW’s breach register and reported to the ICO without delay. DVW will also notify all affected data subjects informing them of the breach, how it has happened and what DVW will do to rectify the breach and stop it from happening in the future.
What to do if you suspect there has been a breach
If you have reason to believe there has been a data breach then you must immediately speak to Gerlize de Villiers, or DVW’s CEO in Gerlize’s absence, and provide them with any information you have regarding the breach. As a minimum, Gerlize will need to know:
1. How you discovered the breach
2. When you discovered the breach
3. What data has been exposed
You must provide Gerlize with as much support and information as she requests relating to any breach you may have discovered.
It is Gerlize de Villiers’s responsibility to manage DVW’s response to any potential data breach, together with the senior management team, and no actions must be undertaken without the approval of the senior management team or Gerlize de Villiers.
Gerlize, together with the senior management team, external advisors and, if necessary, the ICO, will determine the nature and seriousness of the breach and any actions DVW must take in response to the breach.
1. How you discovered the breach
2. When you discovered the breach
3. What data has been exposed
You must provide Gerlize with as much support and information as she requests relating to any breach you may have discovered.
It is Gerlize de Villiers’s responsibility to manage DVW’s response to any potential data breach, together with the senior management team, and no actions must be undertaken without the approval of the senior management team or Gerlize de Villiers.
Gerlize, together with the senior management team, external advisors and, if necessary, the ICO, will determine the nature and seriousness of the breach and any actions DVW must take in response to the breach.
Breach Register
Gerlize de Villiers has been delegated the responsibility to maintain DVW’s data breach register. This register will be provided to the senior management team on a regular basis so they can assess DVW’s compliance with data protection laws and processes. Employees will not be specifically listed in the breach register (whether as the person identifying the breach or as the person causing the breach) and will not be provided with a copy of the register as it is confidential and commercially sensitive.
|
© COPYRIGHT 2003 - 2022 DE VILLIERS WALTON LIMITED. ALL RIGHTS RESERVED.
SAP® Business Suite, SAP® BusinessObjects™, SAP® BW are the trademarks or registered trademarks of SAP SE in Germany and in several other countries.
|
PRIVACY POLICY |