Policies

Data Breach Policy

This policy sets out the policies and procedures
of Switchplane Ltd in regards to the detection,
response and reporting of Personal Data Breaches.

Back to Policies

1. Introduction

This policy sets out the policies and procedures of Switchplane Ltd in regards to the detection, response and reporting of Personal Data Breaches.

2. Definitions

2.1 Data Controller: the person or organisation that determines when, why and how to process Personal Data. It is responsible for establishing practices and policies in line with the GDPR.

2.2 Data Processor: any person, organisation, agency, public authority or other body who processes the data on behalf of the Data Controller.

2.3 Data Subject: a living, identified or identifiable individual about whom Switchplane Ltd holds Personal Data. Data Subjects may be nationals or residents of any country and may have legal rights regarding their Personal Data.

2.4 Appointed Person: person responsible for Data Breaches affecting the company. This is the Operations Manager at Switchplane Ltd (Donna Fielder).

2.5 Personal Data: any information identifying a Data Subject or information relating to a Data Subject that Switchplane Ltd can identify (directly or indirectly) from that data alone or in combination with other identifiers Switchplane Ltd possesses or can reasonably access. Personal Data includes Sensitive Personal Data and Pseudonymised Personal Data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal Data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person's actions or behaviour. Personal Data specifically includes, but is not limited to: name; contact details; date of birth; NI number; salary information; hours of work; and job details etc.

2.6 Personal Data Breach: any act or omission that compromises the security, confidentiality, integrity or availability of Personal Data or the physical, technical, administrative or organisational safeguards that Switchplane Ltd or Switchplane Ltd’s third-party service providers put in place to protect it. The loss, or unauthorised access, disclosure or acquisition, of Personal Data is a Personal Data Breach.

2.7 Privacy by Design: implementing appropriate technical and organisational measures in an effective manner to ensure compliance with the GDPR.

3. Detection of Data Breaches

3.1 Switchplane Ltd has the following technical and organisational measures in progress to help prevent and detect Data Breaches:

  • Application of a Privacy by Design policy to new technology and procedures
  • Annual employee training on data security, how to identify attacks and vulnerabilities and how to implement Switchplane Ltd’s data security procedures
  • Setting up individualised access permissions to systems
  • Use of security assessment software including Amazon Inspector
  • Staying abreast of the latest cybercrime methods
  • Password encryption

3.2 These measures will be reviewed on an annual basis by Switchplane Ltd’s Appointed Person and company Directors.

4. Response to Data Breach

4.1 All personnel must inform the Appointed Person as soon as they become aware of a possible or actual Data Breach. This obligation is outlined to them in a data security training session and in the Switchplane Ltd staff handbook.

4.2 The Appointed Person must ascertain if the company is acting as a Data Controller or Processor in relation to the Personal Data that is subject to the Data Breach.

4.3 The steps to be taken when then responding to this Data Breach will include:

  1. Containment and recovery: put a recovery plan into place and, where necessary, run procedures for damage limitation
  2. Risk assessment: assess any risks associated with the breach, including the potential adverse consequences for individuals; how serious or substantial these are; and how likely they are to happen
  3. Notification: informing, where applicable, supervisory bodies (including ICO), the Data Controller and Data Subjects
  4. Evaluation: investigate the cause of the breach and evaluate Switchplane Ltd’s response to it, updating policies and procedures accordingly

5. Reporting of Data Breach to supervisory authority

5.1 Switchplane Ltd will report to the supervisory authority where the breach relates to Personal Data for which it is a Data Controller.

5.2 This notification will take place without undue delay and no later than 72 hours after having become aware of the breach. If the notification occurs later than 72 hours, a justification will be given.

5.3 The notification will include the following information:

  1. Name and contact details of the Appointed Person
  2. Description of:
    • the nature of the Personal Data Breach
    • the likely consequences of the Personal Data Breach
    • the measures taken or proposed to be taken by the Controller to address the Personal Data Breach

5.4 If it is not possible to gather all of the information required to give a full notification, the Appointed Person will make every effort to gather this missing information and pass it onto the supervisory body as it becomes available. In addition, they will provide reasoning for the delay in acquiring this information.

5.5 The Appointed Person will inform the supervisory body of any ascertained changes in facts that might affect the notification provided.

5.6 Switchplane Ltd will not report a breach to the supervisory body if the Appointed Person ascertains it is unlikely to result in a risk to the rights and freedoms of natural persons. Instead, an internal record of this breach will be kept, along with the justification for why it was not reported.

6. Reporting of Data Breach to supervisory authority to Data Controller

6.1 Switchplane Ltd will report to the Data Controller where the breach relates to Personal Data for which it is a Data Processor.

6.2 This notification will take place without undue delay. Switchplane Ltd will also comply with the provisions of the contract(s) with the affected Data Controllers relating to such notifications.

6.3 The notification will include:

  1. Name and contact details of the Appointed Person
  2. Description of:
    • the nature of the Personal Data Breach
    • the likely consequences of the Personal Data Breach
    • the measures taken or proposed to be taken by the Processor to address the Personal Data Breach

6.4 This information will be sent by confidential means. The Appointed Person will keep a record of this and any further communications with the affected Data Controller in relation to the breach.

6.5 If it is not possible to gather all of the information required to give a full notification, the Appointed Person will make every effort to gather this missing information and pass it onto the Data Controller as it becomes available. In addition they provide reasoning for the delay in acquiring this information.

7. Reporting of Data Breach to supervisory authority to Data Subject

7.1 Switchplane Ltd will report to the Data Subject where the breach relates to Personal Data for which it is a Data Controller.

7.2 Where appropriate, notifications to the Data Subject will be made in consultation with the supervisory body.

7.3 This notification will take place without undue delay and will be relayed by the Appointed Person to the affected Data Subjects in clear plain language.

7.4 The notification will include:

  1. Name and contact details of the Appointed Person
  2. Description of:
    • the nature of the Personal Data Breach
    • the likely consequences of the Personal Data Breach
    • the measures taken or proposed to be taken by the Processor to address the Personal Data Breach

7.5 The Appointed Person will keep a record of all communications with the Data Subjects in relation to this breach.

7.6 Switchplane Ltd will not report a breach to the Data Subject when:

  1. The Appointed Person ascertains it is unlikely to result in a risk to the rights and freedoms of natural persons (instead an internal record of this breach will be kept, along with the justification for why it was not reported)
  2. The Controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the Personal Data affected by the Personal Data Breach (e.g., encryption)
  3. The Controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of Data Subjects is no longer likely to materialise
  4. A communication would involve disproportionate effort. In such a case, a public communication or similar measure is required

7.7 The Appointed Person will keep a record of any decision not to notify the affected Data Subjects, including the reasoning for this decision.

8. Other notifications

8.1 Without affecting the notification obligations set out elsewhere in this policy, the Appointed Person should also consider whether to notify any other third parties of a Personal Data Breach. Notifications may be required under contract or law. Relevant third parties may include:

  1. The Police
  2. Other law enforcement agencies
  3. Insurance companies
  4. Professional bodies
  5. Financial institutions

9. Revising and reviewing this policy

9.1 The Appointed Person is responsible for reviewing this policy annually (around the beginning of June).

9.2 The policy will also be reviewed and amended on an adhoc basis as is necessary to ensure:

  1. The compliance of the company with applicable law, codes of conduct or industry best practice
  2. Other law enforcement agencies
  3. The security of data stored and processed by the company
  4. The protection of the reputation of the company