Data Breach Response and Notification Procedure

Data Breach Response and Notification Procedure

Down­load and print the con­tent on this page

 

1.      Scope, purpose and users

This Pro­ce­dure pro­vides gen­er­al prin­ci­ples and approach mod­el to respond to, and mit­i­gate breach­es of per­son­al data (a “per­son­al data breach”) in one or both of the fol­low­ing circumstances:

• The per­son­al data iden­ti­fies data sub­jects who are res­i­dents of the Mem­ber States of the Euro­pean Union (EU) and coun­tries in the Euro­pean Eco­nom­ic Area (EEA), regard­less of where that data is sub­ject to pro­cess­ing glob­al­ly; and
• The per­son­al data is sub­ject to pro­cess­ing in the EU and/or EEA, regard­less of the coun­try of res­i­den­cy of the data subject.

The Pro­ce­dure lays out the gen­er­al prin­ci­ples and actions for suc­cess­ful­ly man­ag­ing the response to a data breach as well as ful­fill­ing the oblig­a­tions sur­round­ing the noti­fi­ca­tion to Super­vi­so­ry Author­i­ties and indi­vid­u­als as required by the EU GDPR.

All Employees/Staff, con­trac­tors or tem­po­rary Employees/Staff and third par­ties work­ing for or act­ing on behalf of iCon­nect (“Com­pa­ny”) must be aware of, and fol­low this Pro­ce­dure in the event of a per­son­al data breach.

 

2.     Reference documents

• EU GDPR 2016/679 (Reg­u­la­tion (EU) 2016/679 of the Euro­pean Par­lia­ment and of the Coun­cil of 27 April 2016 on the pro­tec­tion of nat­ur­al per­sons with regard to the pro­cess­ing of per­son­al data and on the free move­ment of such data, and repeal­ing Direc­tive 95/46/EC)
• Per­son­al Data Pro­tec­tion Policy

 

3.     Definitions

The fol­low­ing def­i­n­i­tions of terms used in this doc­u­ment are drawn from Arti­cle 4 of the Euro­pean Union’s Gen­er­al Data Pro­tec­tion Reg­u­la­tion (GDPR):

“Per­son­al Data” means any infor­ma­tion relat­ing to an iden­ti­fied or iden­ti­fi­able nat­ur­al per­son (‘data sub­ject’); an iden­ti­fi­able nat­ur­al per­son is one who can be iden­ti­fied, direct­ly or indi­rect­ly, in par­tic­u­lar by ref­er­ence to an iden­ti­fi­er such as a name, an iden­ti­fi­ca­tion num­ber, loca­tion data, an online iden­ti­fi­er or to one or more fac­tors spe­cif­ic to the phys­i­cal, phys­i­o­log­i­cal, genet­ic, men­tal, eco­nom­ic, cul­tur­al or social iden­ti­ty of that nat­ur­al per­son Regulation.

“Con­troller” is the nat­ur­al or legal per­son, pub­lic author­i­ty, agency or any oth­er body, which alone or joint­ly with oth­ers, deter­mines the pur­pos­es and means of the pro­cess­ing of per­son­al data.

“Proces­sor” is a nat­ur­al or legal per­son, pub­lic author­i­ty, agency or any oth­er body which process­es per­son­al data on behalf of a Data Controller.

“Pro­cess­ing” means any oper­a­tion or set of oper­a­tions which is per­formed on per­son­al data or on sets of per­son­al data, whether by auto­mat­ed means, such as col­lec­tion, record­ing, organ­i­sa­tion, struc­tur­ing, stor­age, adap­ta­tion or alter­ation, retrieval, con­sul­ta­tion, use, dis­clo­sure by trans­mis­sion, dis­sem­i­na­tion or oth­er­wise mak­ing avail­able, align­ment or com­bi­na­tion, restric­tion, era­sure or destruction.

“Per­son­al Data Breach” means a breach of secu­ri­ty lead­ing to the acci­den­tal or unlaw­ful destruc­tion, loss, alter­ation, unau­tho­rised dis­clo­sure of, or access to, per­son­al data trans­mit­ted, stored or oth­er­wise processed.

“Super­vi­so­ry Author­i­ty” means an inde­pen­dent pub­lic author­i­ty which is estab­lished by a Mem­ber State pur­suant to Arti­cle 51.

 

4.     Data Breach Response Team

A Data Breach Response Team must be a mul­ti-dis­ci­pli­nary team com­prised of knowl­edge­able and skilled indi­vid­u­als in IT Depart­ment, IT Secu­ri­ty, Legal, Legal and Pub­lic Affairs The team may be a phys­i­cal (local) or vir­tu­al (mul­ti­ple loca­tions) team which responds to any suspected/alleged per­son­al data breach.

The Finan­cial Direc­tor appoints the mem­bers of the Data Breach Response Team. The Team must be appoint­ed regard­less of whether or not a breach has occurred.

The team must ensure that nec­es­sary readi­ness for a per­son­al data breach response exists, along with the need­ed resources and prepa­ra­tion (such as call lists, sub­sti­tu­tion of key roles, desk­top exer­cis­es, plus required review of com­pa­ny poli­cies, pro­ce­dures and practices).

The team’s mis­sion is to pro­vide an imme­di­ate, effec­tive, and skill­ful response to any suspected/alleged or actu­al per­son­al data breach­es affect­ing the Company.

If required, the team mem­bers may also involve exter­nal par­ties (e.g. an infor­ma­tion secu­ri­ty ven­dor for car­ry­ing out dig­i­tal foren­sics tasks or an exter­nal com­mu­ni­ca­tions agency for assist­ing the Com­pa­ny in cri­sis com­mu­ni­ca­tions needs.

The Data Breach Response Team Leader can choose to add addi­tion­al per­son­nel to the team for the pur­pos­es of deal­ing with a spe­cif­ic per­son­al data breach.

The Data Breach Response Team may deal with more than one suspected/alleged or actu­al per­son­al data breach at a time. Although the core team may be the same for each suspected/alleged or actu­al per­son­al data breach, there is no require­ment for this.

The Data Breach Response Team must be pre­pared to respond to a suspected/alleged or actu­al per­son­al data breach 24/7, year-round. There­fore, the con­tact details for each mem­ber of the Data Breach Response Team, includ­ing per­son­al con­tact details, shall be stored in a cen­tral loca­tion, and shall be used to assem­ble the team when­ev­er noti­fi­ca­tion of a suspected/alleged or actu­al per­son­al data breach is received.

 

5.     Data Breach Response Team duties

Once a per­son­al data breach is report­ed to the Data Breach Response team leader, the team must imple­ment the following:

• Validate/triage the per­son­al data breach
• Ensure prop­er and impar­tial inves­ti­ga­tion (includ­ing dig­i­tal foren­sics if nec­es­sary) is ini­ti­at­ed, con­duct­ed, doc­u­ment­ed, and concluded
• Iden­ti­fy reme­di­a­tion require­ments and track resolution
• Report find­ings to the top management
• Coor­di­nate with appro­pri­ate author­i­ties as needed
• Coor­di­nate inter­nal and exter­nal communications
• Ensure that impact­ed data sub­jects are prop­er­ly noti­fied, if necessary

The Data Breach Response Team will con­vene for each report­ed (and alleged) per­son­al data breach, and will be head­ed by the Data Breach Response Team Leader.

 

6.     Data Breach Response process

The Data Breach Response Process is ini­ti­at­ed when any­one who notices that a suspected/alleged or actu­al per­son­al data breach occurs, and any mem­ber of the Data Breach Response team is noti­fied. The team is respon­si­ble to deter­mine if the breach should be con­sid­ered a breach affect­ing per­son­al data.

The Data Breach Team leader is respon­si­ble for doc­u­ment­ing all deci­sions of the core team. Since these doc­u­ments might be reviewed by the super­vi­so­ry author­i­ties, they need to be writ­ten very pre­cise­ly and thor­ough­ly to ensure trace­abil­i­ty and accountability.

 

7.     Personal data breach notification: Data processor to data controller

When the per­son­al data breach or sus­pect­ed data breach affects per­son­al data that is being processed on behalf of a third par­ty, the Data Pro­tec­tion Offi­cer of the Com­pa­ny act­ing as a data proces­sor must report any per­son­al data breach to the respec­tive data controller/controllers with­out undue delay.

The Data Pro­tec­tion Offi­cer will send Noti­fi­ca­tion to the con­troller that will include the following:

• A descrip­tion of the nature of the breach
• Cat­e­gories of per­son­al data affected
• Approx­i­mate num­ber of data sub­jects affected
• Name and con­tact details of the Data Breach Response Team Leader/ Data Pro­tec­tion Officer
• Con­se­quences of the per­son­al data breach
• Mea­sures tak­en to address the per­son­al data breach
• Any infor­ma­tion relat­ing to the data breach

 

DPO will record the data breach into the Data Breach Register.

 

8.     Personal data breach notification: Data controller to supervisory authority

When the per­son­al data breach or sus­pect­ed data breach affects per­son­al data that is being processed by the Com­pa­ny as a data con­troller, the fol­low­ing actions are per­formed by the Data Pro­tec­tion Officer:

• The Com­pa­ny must estab­lish whether the per­son­al data breach should be report­ed to the Super­vi­so­ry Authority.
• In order to estab­lish the risk to the rights and free­doms of the data sub­ject affect­ed, the Data Pro­tec­tion Offi­cer must per­form the Data Pro­tec­tion Impact Assess­ment on the pro­cess­ing activ­i­ty affect­ed by the data breach.
• If the per­son­al data breach is not like­ly to result in a risk to the rights and free­doms of the affect­ed data sub­jects, no noti­fi­ca­tion is required. How­ev­er, the data breach should be record­ed into the Data Breach Register.
• The Super­vi­so­ry Author­i­ty must be noti­fied with undue delay but no lat­er than in 72 hours, if the per­son­al data breach is like­ly to result in a risk to the rights and free­doms of the data sub­jects affect­ed by the per­son­al data breach. Any pos­si­ble rea­sons for delay beyond 72 hours must be com­mu­ni­cat­ed to the Super­vi­so­ry Authority.

DPO will send Noti­fi­ca­tions to the Super­vi­so­ry Author­i­ty that will include the following:

• A descrip­tion of the nature of the breach
• Cat­e­gories of per­son­al data affected
• Approx­i­mate num­ber of data sub­jects affected
• Name and con­tact details of the Data Breach Response Team Leader/ Data Pro­tec­tion Officer
• Con­se­quences of the per­son­al data breach
• Mea­sures tak­en to address the per­son­al data breach
• Any infor­ma­tion relat­ing to the data breach

 

9.     Personal data breach notification: Data controller to data subject

The Finan­cial Direc­tor must assess if the per­son­al data breach is like­ly to result in high risk to the rights and free­doms of the data sub­ject. If yes, the Data Pro­tec­tion Offi­cer the Com­pa­ny must noti­fy with undue delay the affect­ed data subjects.

The Noti­fi­ca­tion to the data sub­jects must be writ­ten in clear and plain lan­guage and must con­tain the same infor­ma­tion list­ed in Sec­tion 7.

If, due to the num­ber of affect­ed data sub­jects, it is dis­pro­por­tion­ate­ly dif­fi­cult to noti­fy each affect­ed data sub­ject, the Data Pro­tec­tion Offi­cer must take the nec­es­sary mea­sures to ensure that the affect­ed data sub­jects are noti­fied by using appro­pri­ate, pub­licly avail­able channels.

 

10.             Accountability

Any indi­vid­ual who breach­es this Pro­ce­dure may be sub­ject to inter­nal dis­ci­pli­nary action (up to and includ­ing ter­mi­na­tion of their employ­ment), and may also face civ­il or crim­i­nal lia­bil­i­ty if their action vio­lates the law.

 

11.             Managing records kept on the basis of this document

Record name	Stor­age location	Per­son respon­si­ble for storage	Con­trols for record protection	Reten­tion time
Call lists & substitution	Google dri­ve of Data breach response team leader	Data breach response team leader	Only autho­rized per­sons can edit the files	Per­ma­nent­ly
Con­tact details	Google dri­ve of Data breach response team leader	Data breach response team leader	Only autho­rized per­sons can edit the files	Per­ma­nent­ly
Doc­u­ment­ed deci­sions of the Data Breach Response Team	Google dri­ve of Data breach response team leader	Data breach response team leader	Only Data Breach Response Team leader can edit the files	5 years
Data breach notifications	Google dri­ve of Data breach response team leader	[Data breach response team leader	Only Data Breach Response Team leader can edit the files	5 years
Data Breach Register	Google dri­ve of Data breach response team leader	Data Pro­tec­tion Officer	Only Data Pro­tec­tion Offi­cer can edit the files	Per­ma­nent­ly

 

12.             Validity and document management

This doc­u­ment is valid as of March 2018.

The own­er of this doc­u­ment is the Data Pro­tec­tion Offi­cer who must check and, if nec­es­sary, update the doc­u­ment at least once a year.