Last updated: 01/06/2023

Section 1 – Introduction

GRIP Technologies Limited is committed to ensuring the security and privacy of all personal data in its possession. This policy outlines the steps to be taken in the event of a data breach to minimise risks to data subjects and ensure compliance with data protection regulations, such as the UK GDPR and Data Protection Act 2018.

Section 2 – Purpose

The purpose of this policy is to:

  • Define a clear protocol for detecting, managing, and reporting data breaches.
  • Ensure compliance with regulatory requirements, including the timely notification of relevant authorities and affected individuals.
  • Mitigate the risk to affected individuals and the organisation.

Section 3 – Scope

This policy applies to all employees, contractors, and third-party vendors handling personal data on behalf of GRIP Technologies Limited. It encompasses breaches that result from both technical (e.g., hacking, system failures) and physical (e.g., lost files, unauthorized access) incidents.

Section 4 – Definition of a Data Breach

A personal data breach refers to any security incident that results in unauthorized access, disclosure, alteration, or loss of personal data, whether accidental or intentional. Breaches may include:

  • Data theft (internal or external)
  • Unauthorised access to personal data
  • Accidental deletion or loss of data
  • Breaches of physical security (e.g., loss of a company laptop containing sensitive data)

Section 5 – Designated Data Protection Lead

    The Data Protection Lead (DPL) is responsible for coordinating the response to data breaches. The DPL’s key responsibilities include:

    • Assessing the nature of the breach.
    • Determining the risks to data subjects.
    • Liaising with the Information Commissioner’s Office (ICO) and other relevant authorities.
    • Overseeing the investigation and corrective action.
    • Ensuring affected data subjects are informed where required.

    Section 6 – Data Breach Response Procedure

    Step 1: Breach Identification

    Upon detecting a potential breach, staff must report the incident immediately to the DPL. All staff are trained to recognize and report potential breaches, even those deemed minor.

    Step 2: Initial Assessment

    The DPL will perform an initial assessment to determine:

    • The nature and scope of the breach.
    • The type of data affected.
    • The potential harm to individuals.

    Step 3: Containment and Recovery

    Steps must be taken immediately to contain the breach and limit further access or damage. This includes:

    • Isolating affected systems.
    • Engaging the IT team and third-party vendors, where appropriate, to assist in containment.
    • Recovering lost or compromised data, where possible.

    Step 4: Risk Assessment

    A risk assessment will evaluate the potential impact on individuals and the organization. Factors to consider include:

    • Type of personal data affected (e.g., financial, medical, identification).
    • The sensitivity of the data.
    • The number of individuals affected.
    • Potential consequences (e.g., identity theft, financial loss, reputational damage).

    Step 5: Notification of the ICO

    If the breach poses a risk to individuals’ rights and freedoms, the ICO must be notified within 72 hours. The initial report must include:

    • Nature of the breach.
    • Categories and approximate number of data subjects affected.
    • Contact details of the DPL.
    • Potential consequences of the breach.
    • Measures taken to address the breach. If the notification is late, an explanation for the delay must be provided.

    Step 6: Notification of Data Subjects

    Where the breach is likely to result in a high risk to the rights and freedoms of individuals, the affected individuals must be informed without undue delay. The notification must:

    • Describe the nature of the breach.
    • Provide details of the Data Protection Lead for further contact.
    • Outline the possible consequences.
    • Offer recommendations to mitigate risks (e.g., password changes). If individual notification is impractical due to the volume of data subjects, a public communication (e.g., press release) will be issued.

    Step 7: Corrective Actions

    After the breach has been contained, the DPL will:

    • Conduct a full investigation to determine the root cause.
    • Implement corrective actions, including security updates, employee training, or changes to protocols to prevent recurrence.
    • Engage third-party support, such as IT or legal advisors, if necessary.

    Section 7 – Documentation

    All breaches, including the investigation, corrective actions, and any communication with the ICO or data subjects, must be documented. A record of all incidents (whether reportable or not) will be kept in the Data Protection Risk Register, maintained by the DPL.

    Section 8 – Preventive Measures

    To reduce the likelihood of data breaches, GRIP Technologies Limited will:

    • Encrypt all sensitive data (e.g., identification records, medical information).
    • Conduct regular security audits, including vulnerability assessments and penetration tests.
    • Ensure ongoing staff training on data protection and breach prevention.
    • Maintain strong access controls, including multi-factor authentication and regular password updates.
    • Enforce a clear desk policy and other physical security measures.

    Section 9 – Employee Responsibilities

    All employees are responsible for adhering to data protection policies and reporting any suspected data breaches to the DPL. Failure to comply with data protection policies may result in disciplinary action.

    Section 10  – Review and Updates

    This policy will be reviewed annually or after any significant data breach or legislative change to ensure it remains up-to-date with regulatory requirements and industry best practices.

    Section 11  – Contact Information

    Email: dpo@griptechnologies.co.uk
    Phone: 0208 77 000 51
    Address: 113 Westmead Road, Sutton SM1 4JE