Data Breach Procedure
This procedure is to be followed if there is a breach of personal data.The people responsible for managing the process are Jean Holt, Salon Coordinator or Sarah Sinclair, Front of house.
All decisions on whether or not to notify the information commissioner office (ICO) or individuals affected will be countersigned by Tracey Passantino, Salon Director.
This procedure covers:
- What is a personal data breach?
- What must be recorded?
- Assessing the likelihood and of the adverse consequences of the breach.
- When do breaches have to be reported to the ICO?
- What must be reported to the ICO?
- How to report a breach to the ICO?
- Telling individuals affected about a breach
- What are the consequences of failing to notify the ICO?
What is a personal data breach?
A breach is a security leading to the accidental or unlawful destruction, loss, alteration, unathorised disclosure of or access to, personal data.
- Access by an unauthorised third party.
- Deliberate or accidental action by a data controller Style H&B or a data processor Shortcuts
- Sending personal data to an incorrect recipient
- Computer or data storage devices containing personal data being lost or stolen
- Alteration of personal data without permission, Loss of availability of personal data
What must be recorded
All breaches must be reported, whether or not they need to be reported to The ICO. If you decide not to report a breach, you must be able to justify this decision and it must therefore be documented.
- The facts relating to the breach
- Its effects
- Remedial actions taken
- What caused the breach and how a recurrence could be prevented
Assessing the likelihood and severity of the negative consequences of the breach
Use the template in Appendix A to answer the following questions:
- What is the likelihood and severity of the resulting risk to people’s rights and freedoms?
- What are the potential negative consequences to the individuals concerned?
- How serious and substantial are the consequences? Don’t forget this can include emotional distress, as well as financial, physical or material damage.
If there is a high risk of negatively affecting indie UAE’s rights and freedoms (scoring 6 or more points) then it must be reported to the ICO.
You may also need to notify third parties such as the police, insurers,credit card or bank who could help to reduce the risk of financial loss to the individual.
Who breaches have to be reported to the ICO?
Breaches which are likely to result in a high risk of negatively affecting individuals rights and freedoms must be reported no later than 72 hours after you first become aware of it.
If you take longer than this, the reason for delay must be documented.
How to report a breach to the ICO
The section of the ICO website on reporting beach’s has not yet been updated for GDPR.However, the following contact details are provided:
Open Monday-Friday 9-5
Telling individuals affected about a breach
If the breach is likely to result in a high risk to the rights and freedoms of individual you must inform the individual as soon as possible.
You need to tell the individuals:
- The nature of the personal data breach
- The name of contact details of the person who can provide them with more information
- The measures taken or proposed to be taken to deal with the personal data breach and the measure taken to mitigate any possible adverse effects.
If you decide notify individuals, you still need to notify the ICO unless you can show that the breach is unlikely to result in ricks to rights and freedoms. The ICO has the power to make you inform individuals if they consider there is a high risk. The decision-making process must be documented.
What are the consequences of failing to notify the ICO?
A fine of up to 10 million euros or 2% of your turnover or a fine up to 20million euros or 4% of your turnover in the most severe cases.
What must be reported to the ICO?
A description of the nature of the personal data breach including:
- The categories and approximate number of individuals concerned and the categories and approximate numbers of personal data records concerned.
- The name and contact details of the person who can provide more information if required.
- The likely consequences of the personal data breach.
- The measures taken, or proposed to be taken, to deal with the personal data breach including measures taken to mitigate any possible negative effects.
The information can be provided in phases if it is not all available within the 72 hours as long as this is still done wi5out undue further delay and you can inform the ICO when to expect further information from you.
You must prioritise the investigation, give it adequate resources and deal with it urgently.