1. Purpose
The Old Millhouse(“we”/”us”) have this procedure is in place to provide a standardised response to any reported data breach incident, and ensure that data breaches are appropriately logged and managed in accordance with the law and best practice.
2. Scope
This procedure applies in the event of a personal data breach and applies to all employees of The Old Millhouse at all times and whether located within the physical offices or not
The document applies to all information we hold and all information technology systems utilised by us.
3. Responsibility
- All employees/Staff, contractors or temporary employees/staff and third parties working for or on behalf of us are required to be aware of, and to follow this procedure in the event of a personal data
- All Employees/Staff, contractors or temporary personnel are responsible for reporting any personal data breach to Sally de Waard who’s contact details are as follows: Telephone: 0782 477 3060
Email: enquiries@oldmillhouse.co.uk
4. Definition
The GDPR defines a “personal data breach” in Article 4(12) as: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. Examples include:
- Loss or theft of data or equipment on which data is stored
- Access by an unauthorised third party
- Sending personal data to an incorrect recipient
- Alteration of personal data without permission
- Loss of availability of personal data such as equipment failure
- Unforeseen circumstances such as a fire or flood
- Hacking attack
- ‘Blagging’ offences where information is obtained by deceit for the purposes of this procedure data security breaches include both confirmed and suspected
*If you suspect a data breach or are unsure whether the incident which has occurred constitutes a data breach please refer the matter to Sally de Waard for consideration*
5. Reporting an incident
- Any individual who accesses, uses or manages information within our business is responsible for reporting data breach and information security incidents immediately to Sally de Waard.
- If the breach occurs or is discovered outside normal working hours, it must be reported as soon as is
- The report will include full and accurate details of the incident, when the breach occurred (dates and times), who is reporting it, the nature of the information, and how many individuals are involved.
6. Next Steps
- Sally de Waard will firstly determine if the breach is still occurring. If so, the appropriate steps will be taken immediately to minimise the effect of the
- An initial assessment will be made by Sally de Waard in liaison with relevant persons (which may include IT services) to establish the severity of the breach and who will take the lead investigating the breach (this will depend on the nature of the breach).
- An investigation will be undertaken immediately and wherever possible within 24 hours of the breach being discovered/reported.
- Sally de Waard will investigate the risks associated with the breach, for example, the potential adverse consequences for individuals, how serious or substantial those are and how likely they are to
- Sally de Waard will then establish whether there is anything that can be done to recover any losses and limit the damage the breach could
- Sally de Waard will identify who may need to be notified. The relevant procedures from those identified below will then be followed. Every incident will be assessed on a case by case basis.
7. Procedure – Breach notification data processor to data controller
- The Old Millhouse must report any personal data breach or security incident to the data controller without undue delay. These contact details are recorded in the Internal Breach Register (GDPR REC 4.5). Organisation Name provides the controller with all of the details of the
- The breach notification should be made by email or phone
- A confirmation of receipt of this information should be requested and made by email or phone call.
8. Procedure – Breach notification data controller to supervisory authority
- Sally de Waard will determine if the supervisory authority (the Information Commissioner’s
Office (ICO) in the UK) need to be notified in the event of a breach.
- If the breach affects individuals in different EU countries, the ICO may not be the lead supervisory authority. Sally de Waard will also need to establish which European data protection agency would be the lead supervisory authority for the processing activities that have been subject to the
- We will assess whether the personal data breach is likely to result in a risk to the rights and freedoms of the data subjects affected by the personal data breach, by conducting an investigation and/or an impact assessment. If we decide that we do not need to report the breach to the ICO we will justify and document our
- If a risk to data subject(s) is likely, Sally de Waard will report the personal data breach to the ICO without undue delay, and not later than 72 hours after becoming aware of
- If the data breach notification to the ICO is not made within 72 hours, Sally de Waard will submit notification electronically with a justification for the
- If it is not possible to provide all of the necessary information at the same time we will provide the information in phases without undue further
- The following information needs to be provided to the supervisory authority:
- A description of the nature of the
- The categories of personal data
- Name and contact details of Sally de Waard.
- Likely consequences of the
- Any measures taken to address the
- Any information relating to the data
- Approximate number of data subjects
- Approximate number of personal data records
- The breach notification should be made via telephone – ICO: 0303 123 1113. Alternatively, if Sally de Waard may choose to report it online if they are still investigating and will be able to provide more information at a later date or if they are confident that the breach has been dealt with
- In the event the ICO assigns a specific contact in relation to a breach, these details are recorded in the Internal Breach
9. Procedure – Breach notification data controller to data subject
- If the personal data breach is likely to result in high risk to the rights and freedoms of the data subject, The Old Mill house will notify those/the data subjects affected without undue delay and in accordance with Sally de Waard
- A ‘high risk’ means the threshold for informing individuals is higher than for notifying the
In any event Sally de Waard will document their decision-making process.
- We will describe the breach in clear and plain language, in addition to information specified in clauses 8.7.1-8.7.6
- The data controller takes subsequent measures to ensure that any risks to the rights and freedoms of the data subjects are no longer likely to
- If the breach affects a high volume of data subjects and personal data records, we will make a decision based on assessment of the amount of effort involved in notifying each data subject individually, and whether it will hinder our ability to appropriately provide the notification within the specified time frame. In such a scenario a public communication or similar measure informs those affected in an equally effective manner and will be considered by Sally de Waard who’s decision will be
- If we have not notified the data subject(s), and the supervisory authority considers the likelihood of a data breach will result in high risk, The Old Millhouse will communicate the data breach to the data subject by telephone or
- We will document any personal data breach(es) within the Data Breach Register, incorporating the facts relating to the personal data breach, its effects and the remedial action(s)
10. Documentation requirements
Internal breach register: there is an obligation for us to document each incident “comprising the facts relating to the personal data breach, its effects and the remedial action taken”.
11. Evaluation
- Once the initial incident is contained, Sally de Waard will carry out a full review of the causes of the breach; the effectiveness of the response(s) and whether any changes to systems, policies and procedures should be
- Existing controls will be reviewed to determine their adequacy, and whether any corrective action should be taken to minimise the risk of similar incidents
- The review will consider various points, including but not limited to:
- Where and how personal data is held and where and how it is stored
- Where the biggest risks lie, and will identify any further potential weak points within its existing measures
- Whether methods of transmission are secure; sharing minimum amount of data necessary Identifying weak points within existing security measures
- Staff awareness