Guardtech Cleanrooms LTD Data Breach Policy
Last edit: 5 July 2022 (to be reviewed every six months)
Data Breach Notification Policy (GDPR compliant)
1. Aim and scope of policy
Guardtech Cleanrooms is fully aware of its obligations under the General Data Protection Regulation (GDPR) to process data lawfully and to ensure it is kept securely. We take these obligations seriously and have protocols in place to ensure that, to the best of our efforts, data is not susceptible to loss or other misuse. The GDPR incorporates a requirement for a personal data breach to be notified to the supervisory authority and in some cases to the affected individuals. This policy sets out the Guardtech’s stance on taking action in line with GDPR if a breach were to occur.
2. Personal data breach
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or processed. A ‘breach’, for these purposes, is identifiable as a security incident which has affected the confidentiality, integrity or availability of personal data.
As indicated above, a data breach for these purposes is wider in scope than the loss of data.
The following are examples of data breaches:
- Access by an unauthorised third party
- Deliberate or accidental action (or inaction) by a data controller or data processer
- Sending personal data to an incorrect recipient
- Computing devices containing personal data being lost or stolen
- Alteration of personal data without permission
- Loss of availability of personal data.
3. Breach detection measures
We have implemented the following measures to assist us in detecting a personal data breach:
- Regular staff training
- Published Privacy Policy and procedures so any concerns regarding personal data can be reported: https://www.guardtechcleanrooms.com/privacy-policy/
- Regular reviews and risk assessments of the procedures and processes for collecting and storing personal data
4. Notifiable breaches
For the purposes of this policy, a data breach will be notifiable when it is deemed by Guardtech as likely to pose a risk to people’s rights and freedoms. If it does not carry that risk, the breach is not subject to notification although it will be entered on Guardtech’s Data Breach Log.
A risk to people’s freedoms can include physical, material or non-material damage such as discrimination, identity theft or fraud, financial loss and damage to reputation.
When assessing the likelihood of the risk to people’s rights and freedoms, Guardtech will consider:
- The type of breach
- The type of data involved – including what it reveals about individuals
- How much data is involved
- The individuals involved – how many are involved, how easy it is to identify them, how bad the consequences for the individuals would be and the resultant severity of a breach.
5. Actions upon identification of breach
When the Chief Protection Officer and Data Protection Officer are made aware of a breach, they will undertake an immediate investigation into what happened and what actions must be taken to restrict any consequences. A determination will be made at that point whether the breach is deemed a notifiable breach and whether it is deemed as resulting in a high risk to the rights and freedoms of individuals.
6. Timescales for notification to supervisory authority
Where a notifiable breach has occurred, Guardtech will notify the ICO without undue delay and at the latest within 72 hours of it becoming aware of the breach. If notification is made beyond this timeline, Guardtech will provide the ICO with reasons for this.
If it has not been possible to conduct a full investigation into the breach in order to give full details to the ICO within 72 hours, an initial notification of the breach will be made within 72 hours, giving as much detail as possible, together with reasons for incomplete notification and an estimated timescale for full notification. The initial notification will be followed up by further communication to the ICO to submit the remaining information.
7. Content of breach notification to the supervisory authority
The following information will be provided when a breach is notified:
- A description of the nature of the personal data breach including, where possible
- The categories and approximate number of individuals concerned
- The categories and approximate number of personal data records concerned
- The name and contact details of the Data Protection Officer where more information can be obtained
- A description of the likely consequences of the personal data breach
- A description of the measures taken, or proposed to be taken
- To deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.
8. Timescales for notification to affected individuals
Where a notifiable breach has occurred which is deemed to have a high risk to the rights and freedoms of individuals, Guardtech will notify the affected individuals themselves – this being the individuals whose data is involved in the breach, in addition to the supervisory authority. This notification will be made without undue delay and may, dependent on the circumstances, be made before the supervisory authority is notified. A high risk may be, for example, where there is an immediate threat of identity theft, or if special categories of data are disclosed online.
9. Content of breach notification to the affected individuals
The following information will be provided when a breach is notified to the affected individuals:
- A description of the nature of the breach
- The name and contact details of the Data Protection Officer where more information can be obtained
- A description of the likely consequences of the personal data breach and a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including (where appropriate) the measures taken to mitigate any possible adverse effects
10. Record of breaches
Guardtech records all personal data breaches regardless of whether they are notifiable or not as part of its general accountability requirement under GDPR. It records the facts relating to the breach, its effects and the remedial action taken.
11. Data Protection Officer
Guardtech’s Data Protection Officer is Operations Director Conor Barwise, who can be contacted at Unit C, The Brocks Business Centre, Haverhill, Suffolk, CB9 8QP or by email at c.barwise@guardtech.com. Their Data Controllers are Ray Wheeler and Joe Shackley, who can be contacted at Unit C, The Brocks Business Centre, Haverhill, Suffolk, CB9 8QP or by email at r.wheeler@guardtech.com and j.shackley@guardtech.com. Mr Wheeler is responsible for maintaining Guardtech’s secure contacts database while Mr Barwise is responsible for the overall implementation of Guardtech’s GDPR policies. Mr Shackley provides support to both in all areas of GDPR.
12. Guardtech Website Policy Pages
Guardtech’s key policies, including their Privacy Policy and Legitimate Interests Assessment, can be found here: