Our breach policy

What happens in the event of a data breach?

We will:

Investigate any potential breach to find out the nature and cause of the breach at once and examine the extent of the damage or harm that results or could result from the breach.

Take immediate action to stop or mitigate the breach and consider whether we need to report the incident to our local supervisory authority.

Look at the particular circumstances of the breach, including the likelihood, severity and potential impact of the risk including:

  • Type of breach
  • Nature of the data involved
  • How many individuals are concerned
  • How easy is it to identify the individual (s) concerned?
  • How serious would the consequences be to the individual(s) concerned
  • Is the data already publicly available?

 

Once we have considered the nature of the breach etc., we will

Establish whether we need to let any individual(s) know.[1] Please note that the threshold for informing an individual is higher than that for notifying the relevant supervisory authority. We will consider whether notification could help the individual, by allowing individuals to act on the information to mitigate risks, for example by cancelling a credit card or changing a password.

Check to see if the possible breach has been caused by a supplier and therefore they should be taking the action to stop or mitigate the breach.

Review whether appropriate security policies and procedures were in place and if so, whether they were followed.

April 25 2018

[1] Recital 85 states “A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.”