Data Breach Notification Policy

Data Breach Notification Policy

Aim

Progress to Excellence Ltd (PtoE) are aware of the obligations placed on us by the General Data Protection Regulation (GDPR) in relation to processing data lawfully and to ensure it is kept securely.

One such obligation is to report a breach of personal data in certain circumstances and this policy sets out our position on reporting data breaches.

Personal data breach

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or processed.

The following are examples of data breaches:

  • Access by an unauthorised third party
  • Deliberate or accidental action (or inaction) by a data controller or data processor
  • Sending personal data to an incorrect recipient
  • Computing devices containing personal data being lost or stolen
  • Alteration of personal data without permission
  • Loss of availability of personal data.

Breach detection measures

The following measures have been put in to practice to assist in detecting and preventing a personal data breach:

  • Appointment of a Data Protection Officer
  • Heighted and improved security software, encryptions and threat detection:
  • Microsoft Enterprise Mobility + Security Suite E3
  • Malwarebytes Endpoint Protection License
  • WatchGuard Firebox M370
  • SSL Wildcard Certificate
  • AVG Business Edition
  • Microsoft Windows Active Directory
  • CNS IT Ltd – contracted professional business IT support company
  • Clear reporting lines
  • Staff training and awareness.

Suspected breach investigation

In the event that PtoE are made aware of a breach, or a potential breach, an investigation will be carried out.

This investigation will be carried out by (Michael Williams, PtoE’s Data Protection Officer) who will make a decision over whether the breach is required to be notified to the Information Commissioner’s Office (ICO). A decision will also be made over whether the breach is such that the individual(s) must also be notified.

All suspected breaches will be logged on the Data Breach Log.

Breach notification – ICO

In accordance with the GDPR, PtoE will notify the ICO of a breach which is likely to pose a risk to people’s rights and freedoms. A risk to people’s freedoms can include physical, material or non-material damage such as discrimination, identity theft or fraud, financial loss and damage to reputation.

Notification to the ICO will be done without undue delay and at the latest within 72 hours of discovery. If we are unable to report in full within this timescale, we will make an initial report to the ICO, and then provide a full report in more than one instalment if so required.

The following information will be provided when a breach is notified:

  • A description of the nature of the personal data breach including, where possible:
  • The categories and approximate number of individuals concerned
  • The categories and approximate number of personal data records concerned
  • The name and contact details of PtoE’s Data Protection Officer, where more information can be obtained
  • A description of the likely consequences of the personal data breach
  • A description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.

Breach notification – individual

In accordance with the GDPR, PtoE will notify the individual whose data is the subject of a breach if there is a high risk to people’s rights and freedoms.

A high risk may be, for example, where there is an immediate threat of identity theft, or if special categories of data are disclosed online.

This notification will be made without undue delay and dependent on the circumstances, be made before the supervisory authority is notified.

The following information will be provided when a breach is notified to the affected individuals:

  • A description of the nature of the breach
  • The name and contact details of PtoE’s Data Protection Officer, where more information can be obtained
  • A description of the likely consequences of the personal data breach and
  • A description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.

Record of breaches

The Company records all personal data breaches regardless of whether they are notifiable or not as part of its general accountability requirement under GDPR. It records the facts relating to the breach, its effects and the remedial action taken. As stated earlier in the policy, all breaches are recorded in the Data Breach Log.

If you have any questions relating to our GDPR and privacy notices or any concerns please contact our designated Data Protection Officer or alternatively, please complete the GDPR Request Form.