GDPR: DATA BREACH POLICY

This is the Data Breach Policy of Optimum Forklift Training Services

Background

The General Data Protection Regulation (GDPR) is based around six principles of handling of personal data. We must comply with all six principles as a business; otherwise we’ll be in breach of the GDPR. We understand that the principles give people specific rights in relation to their personal information and place certain obligations on those organisations that are responsible for processing it.

Aim

The GDPR requires that we must take appropriate measures against unauthorised or unlawful processing and against accidental loss, destruction of or damage to personal data. This policy sets out how we deal with a data security breach.

What is a personal data breach?

The Information Commissioner’s Office states that a personal data breach can be broadly defined as a security incident that has affected the confidentiality, integrity or availability of personal data. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable and this unavailability has a significant negative effect on individuals.

Action to be taken in the event of a data breach

  1. Containment and recovery

The immediate priorities are to:

  • Contain the breach;
  • Assess the potential adverse consequences for individuals, based on how serious or substantial these are, and how likely they are to happen; and
  • To limit the scope.

In the event of a security incident or breach, staff must immediately inform Clifford Hickton.

Clifford Hickton  will take the lead on investigating the breach. In the event where Clifford Hickton  is absent for whatever reason, Joanna Gray  will take the lead on investigating a breach.

Steps to take where personal data has been sent to someone not authorised to see it:

  • Inform the recipient not to pass it on or discuss it with anyone else;
  • Inform the recipient to destroy or delete the personal data they have received and get them to confirm in writing that they have done so;
  • Explain to the recipient the implications if they further disclose the data; and
  • Where relevant, inform the data subjects whose personal data is involved what has happened so that they can take any necessary action to protect themselves.
  1. Assessing the risk

Perhaps most important is an assessment of potential adverse consequences for individuals, how serious or substantial these are and how likely they are to happen.

Examples of the type of questions to consider:

 

What type of data is involved?  
How sensitive is it?  
If data has been lost or stolen, are there any protections in place such as encryption?  
What has happened to the data? i.e. If stolen, could it be used for purposes which are harmful to the individuals to whom the data relate?; if it has been damaged, this poses a different type and level of risk
Estimate how many individuals’ personal data are affected by the breach  
Who are the individuals whose data has been breached? Whether they are staff, customers, clients or suppliers, for example, will to some extent determine the level of risk posed by the breach and, therefore, your actions in attempting to mitigate those risks
What harm can come to those individuals? Are there risks to physical safety or reputation, of financial loss or a combination of these and other aspects of their life?
Are there wider consequences to consider such as a risk to public health or loss of public confidence in an important service you provide?  
Establish whether there is anything you can do to recover any losses and limit the damage the breach can cause  

 

  1. Notifying the ICO and individuals, where relevant
  2. a) Who is responsible?

In our business, Clifford Hicktonis the point of contact for staff and the ICO on this policy and on all matters relating to data protection.

Clifford Hickton is also responsible for notifying the ICO and individuals (where applicable) of relevant personal data breaches.

  1. b) What breaches do we need to notify the ICO about?

When a personal data breach has occurred, we need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk then we must notify the ICO; if it’s unlikely then we don’t have to report it.

If we decide we don’t need to report the breach, we need to be able to justify this decision, and we should document it.

  1. c) When to notify the ICO and dealing with delays

Notifiable breaches must be reported to the ICO without undue delay, but not later than 72 hours after becoming aware of it.

If we don’t comply with this requirement, we must be able to give reasons for the delay.

In some instances it will not always be possible to investigate a breach fully within 72 hours to understand exactly what has happened and what needs to be done to mitigate it. Where that applies we should provide the required information in phases, as long as this is done without undue further delay.

 

  1. d) Breach information to the ICO

When reporting a breach, we will provide the following information:

  • a description of the nature of the personal data breach including, where possible:
  • the categories and approximate number of individuals concerned;
  • and the categories and approximate number of personal data records concerned;
  • our contact person, Clifford Hickton and Joanna Gray;
  • a description of the likely consequences of the personal data breach; and
  • a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.
  1. e) Individuals

Where notification to individuals may also be required, Clifford Hickton will assess the severity of the potential impact on individuals as a result of a breach and the likelihood of this occurring. Where there is a high risk, we will inform those affected as soon as possible, especially if there is a need to mitigate an immediate risk of damage to them.

  1. g) Information to individuals

Clifford Hickon will consider who to notify, what we are going to tell them and how we are going to communicate the message. This will depend to a large extent on the nature of the breach but will include the name and contact details of our data protection officer (where relevant) or other contact point where more information can be obtained; a description of the likely consequences of the personal data breach; and a description of the measures taken, or proposed to be taken, to deal with the personal data breach and including, where appropriate, of the measures taken to mitigate any possible adverse effects.

The breach need not be reported to individuals if:

  • We have implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach;
  • We have taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise;
  • It would involve disproportionate effort (in this case a public communication may be more appropriate).

In the case of a breach affecting individuals in different EU countries, we are aware that the ICO may not be the lead supervisory authority. Where this applies, Clifford Hickton should establish which European data protection agency would be the lead supervisory authority for the processing activities that have been subject to the breach.

  1. h) Third parties

In certain instances, Clifford Hickton may need to consider notifying third parties such as the police, insurers, professional bodies, bank or credit card companies who can assist in reducing the risk of financial loss to individuals.

  1. i) Document all decisions

Clifford Hickton must document all decisions that we take in relation to security incidents and data breaches, regardless of whether or not they need to be reported to the ICO.

 

[It is important to be aware that if you are a communications service provider, a UK trust service provider, an operator of essential services or a digital service provider, you may have additional notification obligations under other laws if you experience a personal data breach. Where this applies, please follow the ICO that can be found here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/]
  1. Evaluate our response and mitigation steps

We investigate the cause of any breach, decide on remedial action and consider how we can mitigate it. As part of that process we also evaluate the effectiveness of our response to incidents or breaches. To assist in this evaluation we consider:

·           What personal data is held, where and how it is stored
·           Risks that arise when sharing with or disclosing to others

 

·           This includes checking the method of transmission to make sure it‘s secure and that we only share or disclose the minimum amount of data necessary

·           Weak points in our existing security measures such as the use of portable storage devices or access to public networks
·           Whether or not the breach was a result of human error or a systemic issue and determine how a recurrence can be prevented – whether this is through better processes, further training or other corrective steps
·           Staff awareness of security issues and look to fill any gaps through training or advice
·           The need for a Business Continuity Plan for dealing with serious incidents
·           The group of people responsible for reacting to reported breaches of security

 

 

  1. Review

This document is dated 13/09/2019 and will reviewed by us every 6 months.

 

 

Leave a Message

We're not around right now. But you can send us an email and we'll get back to you, asap.

Not readable? Change text. captcha txt

We use cookies to give you the best online experience. By agreeing you accept the use of cookies in accordance with our cookie policy.

Privacy Settings saved!
Privacy Settings

When you visit any web site, it may store or retrieve information on your browser, mostly in the form of cookies. Control your personal Cookie Services here.


Cookies are small pieces of text used to store information on web browsers. Cookies are used to store and receive identifiers and other information on computers, phones and other devices. Other technologies, including data we store on your web browser or device, identifiers associated with your device, and other software, are used for similar purposes. In this policy, we refer to all of these technologies as "cookies." We use cookies if you have a Facebook account, use the Facebook Products, including our website and apps, or visit other websites and apps that use the Facebook Products (including the Like button or other Facebook Technologies). Cookies enable Facebook to offer the Facebook Products to you and to understand the information we receive about you, including information about your use of other websites and apps, whether or not you are registered or logged in. This policy explains how we use cookies and the choices you have. Except as otherwise stated in this policy, the Data Policy will apply to our processing of the data that we collect via cookies.

Why do we use cookies?

Cookies help us provide, protect and improve the Facebook Products, such as by personalising content, tailoring and measuring ads, and providing a safer experience. While the cookies that we use may change from time to time as we improve and update the Facebook Products, we use them for the following purposes:
Authentication
We use cookies to verify your account and determine when you're logged in so we can make it easier for you to access the Facebook Products and show you the appropriate experience and features.
For example: We use cookies to keep you logged in as you navigate between Facebook Pages. Cookies also help us remember your browser so you do not have to keep logging in to Facebook and so you can more easily log in to Facebook via third-party apps and websites.
Security, site and product integrity
We use cookies to help us keep your account, data and the Facebook Products safe and secure.
For example: Cookies can help us identify and impose additional security measures when someone may be attempting to access a Facebook account without authorisation, for instance, by rapidly guessing different passwords. We also use cookies to store information that allows us to recover your account in the event that you forget your password or to require additional authentication if you tell us that your account has been hacked.
We also use cookies to combat activity that violates our policies or otherwise degrades our ability to provide the Facebook Products.
For example: Cookies help us fight spam and phishing attacks by enabling us to identify computers that are used to create large numbers of fake Facebook accounts. We also use cookies to detect computers infected with malware and to take steps to prevent them from causing further harm. Cookies also help us prevent underage people from registering for Facebook accounts.
Advertising, recommendations, insights and measurement
We use cookies to help us show ads and to make recommendations for businesses and other organisations to people who may be interested in the products, services or causes they promote.
For example: Cookies allow us to help deliver ads to people who have previously visited a business's website, purchased its products or used its apps and to recommend products and services based on that activity. Cookies also allow us to limit the number of times that you see an ad so you don't see the same ad over and over again.
We also use cookies to help measure the performance of ad campaigns for businesses that use the Facebook Products.
For example: We use cookies to count the number of times that an ad is shown and to calculate the cost of those ads. We also use cookies to measure how often people do things such as click on or view ads.
Cookies help us serve and measure ads across different browsers and devices used by the same person.
For example: We can use cookies to prevent you from seeing the same ad over and over again across the different devices that you use.
Cookies also allow us to provide insights about the people who use the Facebook Products, as well as the people who interact with the ads, websites and apps of our advertisers and the businesses that use the Facebook Products.
For example: We use cookies to help businesses understand the kinds of people who like their Facebook Page or use their apps so they can provide more relevant content and develop features that are likely to be interesting to their customers.
We also use cookies to help you opt out of seeing ads from Facebook based on your activity on third-party websites. Learn more about the information we receive, how we decide which ads to show you on and off the Facebook Products and the controls that are available to you.
Site features and services
We use cookies to enable the functionality that helps us provide the Facebook Products.
For example: Cookies help us store preferences, know when you've seen or interacted with Facebook Products' content and provide you with customised content and experiences. For instance, cookies allow us to make suggestions to you and others, and to customise content on third-party sites that integrate our social plugins. If you are a page administrator, cookies allow you to switch between posting from your personal Facebook account and the Page.
We also use cookies to help provide you with content relevant to your locale.
For example: We store information in a cookie that is placed on your browser or device so that you will see the site in your preferred language.
Performance
We use cookies to provide you with the best experience possible.
For example: Cookies help us route traffic between servers and understand how quickly Facebook Products load for different people. Cookies also help us record the ratio and dimensions of your screen and windows and know whether you've enabled high-contrast mode, so that we can render our sites and apps correctly.
Analytics and research
We use cookies to better understand how people use the Facebook Products so that we can improve them.
For example: Cookies can help us understand how people use the Facebook service, analyse which parts of the Facebook Products people find most useful and engaging, and identify features that could be improved.
Return to top

Where do we use cookies?

We may place cookies on your computer or device, and receive information stored in cookies, when you use or visit:
  • Products provided by other members of the Facebook Companies; and
  • Websites and apps provided by other companies that use the Facebook Products, including companies that incorporate the Facebook Technologies into their websites and apps. Facebook uses cookies and receives information when you visit those sites and apps, including device information and information about your activity, without any further action from you. This occurs whether or not you have a Facebook account or are logged in.
Return to top

Do other parties use cookies in connection with the Facebook Products?

Yes, other parties may use cookies on the Facebook Products to provide services to us and the businesses that advertise on Facebook. For example, our measurement partners use cookies on the Facebook Products to help advertisers understand the effectiveness of their Facebook advertising campaigns and to compare the performance of those campaigns to ads displayed on other websites and apps. Learn more about the companies that use cookies on the Facebook Products. Third parties also use cookies on their own sites and apps in connection with the Facebook Products. To understand how other parties use cookies, please review their policies.
Return to top

How can you control Facebook's use of cookies to show you ads?

One of the ways we use cookies is to show you useful and relevant ads on and off Facebook. You can control how we use data to show you ads by using the tools described below.
If you have a Facebook account:
  • You can use your ad preferences to learn why you're seeing a particular ad and control how we use information that we collect to show you ads.
  • To show you better ads, we use data that advertisers and other partners provide us about your activity off Facebook Company Products, including websites and apps. You can control whether we use this data to show you ads in your ad settings.
  • The Facebook Audience Network is a way for advertisers to show you ads in apps and websites off the Facebook Company Products. One of the ways Audience Network shows relevant ads is by using your ad preferences to determine which ads you may be interested in seeing. You can control this in your ad settings.
Everyone:
You can opt out of seeing online interest-based ads from Facebook and other participating companies through the Digital Advertising Alliancein the US, the Digital Advertising Alliance of Canada in Canada or the European Interactive Digital Advertising Alliance in Europe or through your mobile device settings. Please note that ad blockers and tools that restrict our cookie use may interfere with these controls.
More information about online advertising:
The advertising companies we work with generally use cookies and similar technologies as part of their services. To learn more about how advertisers generally use cookies and the choices they offer, you can review the following resources:
Browser cookie controls:
In addition, your browser or device may offer settings that allow you to choose whether browser cookies are set and to delete them. For more information about these controls, visit your browser or device's help material. Certain parts of the Facebook Products may not work properly if you have disabled browser cookie use.
Date of Last Revision: 4 April 2018

Decline all Services
Accept all Services