A Personal Data Breach can include:
A breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable and this unavailability has a significant negative effect on individuals.
As soon as it has become apparent, or suspected, that a personal data breach has occurred, the Company’s GDPR Compliance Manager should be notified as soon as possible via firstname.lastname@example.org providing as much detail as possible.
On becoming aware of a breach, the Compliance Manager will work with the relevant departmental managers to assess the severity of the data breach and inform the Board. Fine Cut will try to contain it and assess the potential adverse consequences for individuals, based on how serious or substantial these are, and how likely they are to happen.
When a personal data breach has occurred, the likelihood and severity of the resulting risk to people’s rights and freedoms will be established. If it is likely that there will be a risk then the ICO will be notified; if it is unlikely then the ICO need not be informed. Where we decide not to report the breach, it will be documented to justify this decision.
Where Fine Cut uses a data processor, and the processor suffers a breach, they must inform us without undue delay as soon as they become aware; Fine Cut will then notify the ICO of the data breach.
A notifiable breach will be reported to the ICO without undue delay, but no later than 72 hours after becoming aware of the breach. If it takes longer, then reasons for the delay will be given.
As it is not always possible to investigate a breach fully within 72 hours to understand exactly what has happened and what needs to be done to mitigate it, the required information can be provided in phases, as long as it is done without undue further delay.
When reporting a breach to the ICO it will include:
The individual will be notified of a breach where it is likely to result in a high risk to the rights and freedoms of the individual.
Regardless of whether or not a data breach was reported to the ICO, all breaches will be recorded. It will record the facts relating to the breach, its effects and the remedial action taken.
All breaches will be investigated to establish whether or not it was a result of human error or a systemic issue and see how a recurrence can be prevented; whether that be through better processes, further training or other corrective steps.