GDPR Data Breach Policy and Response Plan

Introduction

Under the General Data Protection Regulation (GDPR), certain personal data breaches must be notified to the Information Commissioner’s Office (ICO) and sometimes affected data subjects need to be told too.

The purpose of this policy is to outline the internal breach reporting procedure of Rais Garifullin, registered in Georgia, Krtsanisi distr, Fonichala settl-t, 3, bld. 5, 1328 Tbilisi (“the Company”) and our internal and external response plan and it should be read in conjunction with our data protection policy.
 

What constitutes a personal data breach?

A personal data breach is a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

A breach is therefore a type of security incident and there are three different types of breach that may occur:

  1. Confidentiality breach – an accidental or unauthorised disclosure of, or access to, personal data.
  2. Availability breach – an accidental or unauthorised loss of access to, or destruction of, personal data.
  3. Integrity breach – an accidental or unauthorised alteration of personal data.

A breach can concern confidentiality, availability and integrity of personal data at the same time, as well as any combination of these.

A personal data breach would, for example, include:

  • personal data being disclosed to an unauthorised person, e.g. an email containing personal data being sent to the wrong person.
  • an unauthorised person accessing personal data, e.g. an employee’s personnel file being inappropriately accessed by another member of staff due to a lack of appropriate internal controls.
  • a temporary or permanent loss of access to personal data, e.g. where a client’s or customer’s personal data is unavailable for a certain period of time due to a system shut down, power, hardware or software failure, infection by ransomware or viruses or denial of service attack, where personal data has been deleted either accidentally due to human error or by an unauthorised person or where the decryption key for securely encrypted data has been lost.

This list is not exhaustive.
 

Notification to the ICO

Not all personal data breaches have to be notified to the ICO. The breach will only need to be notified if it is likely to result in a risk to the rights and freedoms of data subjects, and this needs to be assessed by the Company on a case-by-case basis. A breach is likely to result in a risk to the rights and freedoms of data subjects if, for example, it could result in:

  • loss of control over their data
  • limitation of their rights
  • discrimination
  • identity theft
  • fraud
  • damage to reputation
  • financial loss
  • unauthorised reversal of pseudonymisation
  • loss of confidentiality
  • any other significant economic or social disadvantage.

Where a breach is reportable, the Company must notify the ICO without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach. If our report is submitted late, it must also set out the reasons for our delay. Our notification must at least include:

  • a description of the nature of the breach including, where possible, the categories and approximate number of affected data subjects and the categories and approximate number of affected records
  • the name and contact details of the Company’s CEO
  • a description of the likely consequences of the breach
  • a description of the measures taken, or to be taken, by the Company to address the breach and mitigate its possible adverse effects.

We can provide this information in phases, without undue further delay, if it cannot all be provided at the same time.

Awareness of the breach occurs when we have a reasonable degree of certainty that a breach has occurred. In some cases, it will be relatively clear from the outset that there has been a breach. However, where it is unclear whether or not a breach has occurred, we will have a short period of time to carry out an initial investigation after first being informed about a potential breach in order to establish with a reasonable degree of certainty whether or not a breach has in fact occurred. If, after this short initial investigation, we establish that there is a reasonable degree of likelihood that a breach has occurred, the 72 hours starts to run from the moment of that discovery.
 

Communication to affected data subjects

Where the personal data breach is likely to result in a high risk to the rights and freedoms of data subjects, the Company also needs to communicate the breach to the affected data subjects without undue delay, i.e. as soon as possible. In clear and plain language, we must provide them with:

  • a description of the nature of the breach
  • the name and contact details of the Company’s CEO
  • a description of the likely consequences of the breach
  • a description of the measures taken, or to be taken, by the Company to address the breach and mitigate its possible adverse effects.

We will also endeavour to provide data subjects with practical advice on how they can themselves limit the damage, e.g. cancelling their credit cards or resetting their passwords.

We will contact data subjects individually, by e-mail, unless that would involve the Company in disproportionate effort, such as where their contact details have been lost as a result of the breach or were not known in the first place, in which case we will use a public communication, such as a notification on our website.

However, we do not need to report the breach to data subjects if:

  • we have implemented appropriate technical and organisational protection measures, and those measures have been applied to the personal data affected by the breach, in particular those that render the personal data unintelligible to any person who is not authorised to access them, such as state-of-the-art encryption, or
  • we have taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise.
     

Assessing “risk” and “high risk”

In assessing whether a personal data breach results in a risk or high risk to the rights and freedoms of data subjects, the Company will take into account the following criteria:

  • the type of breach
  • the nature, sensitivity and volume of personal data affected
  • ease of identification of data subjects – properly encrypted data is unlikely to result in a risk if the decryption key was not compromised in the breach
  • the severity of the consequences for data subjects
  • any special characteristics of the data subject
  • the number of affected data subjects
  • special characteristics of the Company.
     

Data breach register

The Company will maintain a register of all personal data breaches, regardless of whether or not they are notifiable to the ICO. The register will include a record of:

  • the facts relating to the breach, including the cause of the breach, what happened and what personal data were affected
  • the effects of the breach
  • the remedial action we have taken.
     

Data breach reporting procedure

If you know or suspect that a personal data breach has occurred, you must immediately both advise your line manager and contact the Company’s CEO. You must ensure you retain any evidence you have in relation to the breach and you must provide a written statement setting out any relevant information relating to the actual or suspected personal data breach, including:

  • your name, department and contact details
  • the date of the actual or suspected breach
  • the date of your discovery of the actual or suspected breach
  • the date of your statement
  • a summary of the facts relating to the actual or suspected breach, including the types and amount of personal data involved
  • what you believe to be the cause of the actual or suspected breach
  • whether the actual or suspected breach is ongoing
  • who you believe may be affected by the actual or suspected breach.

You must then follow the further advice of the CEO. You must never attempt to investigate the actual or suspected breach yourself and you must not attempt to notify affected data subjects. The Company will investigate and assess the actual or suspected personal data breach in accordance with the response plan set out below and the data breach team will determine who should be notified and how.
 

Response plan

The Company’s CEO will assemble a team to investigate, manage and respond to the personal data breach. They will lead this team and the other members will consist of nominated senior members of the management team. The data breach team will then:

  1. Make an urgent preliminary assessment of what data has been lost, why and how.
  2. Take immediate steps to contain the breach and recover any lost data.
  3. Undertake a full and detailed assessment of the breach.
  4. Record the breach in the Company’s data breach register.
  5. Notify the ICO where the breach is likely to result in a risk to the rights and freedoms of data subjects.
  6. Notify affected data subjects where the breach is likely to result in a high risk to their rights and freedoms.
  7. Respond to the breach by putting in place any further measures to address it and mitigate its possible adverse effects, and to prevent future breaches.
     

Response plan template

Data breach team  
Data breach team lead:  
Other members of data breach team:  
Background  
Name and department of person notifying actual or suspected breach:  
Date of actual or suspected breach:  
Date of discovery of actual or suspected breach:  
Date of internal notification of actual or suspected breach:  
Preliminary assessment  
Summary of the facts relating to the actual or suspected breach, including the types of personal data involved:  
Categories and approximate number of affected data subjects:  
Categories and approximate number of affected records:  
How sensitive is the personal data?  
Cause of the actual or suspected breach:  
Any other relevant information or comments:  
Containment and recovery  
Is the actual or suspected breach ongoing?  
What steps can be taken to contain the breach, i.e. to stop or minimise further loss, destruction or unauthorised disclosure?  
What steps can be taken to recover any lost personal data?  
Does the breach need to be reported to the police, for example if there is evidence of theft?  
Does any professional regulator or trade body need to be notified of the breach?  
Does the breach need to be reported to any relevant insurers, e.g. professional indemnity?  
Detailed assessment  
What types of personal data are involved, and does the breach involve any special categories of personal data or personal data relating to criminal convictions and offences?  
Who is affected by the breach?  
What are the likely consequences of the breach for affected data subjects?  
Where personal data has been lost or stolen, are any protections in place such as encryption?  
What has happened to the personal data?  
What uses could a third party make of the personal data?  
Are there any other personal data breaches?  
Has the breach been recorded in the data breach register?  
Any other relevant information or comments:  
Notifying the ICO  
What is the type of breach?  
What is the nature of the personal data affected?  
What is the potential harm to data subjects?  
What is the sensitivity of the personal data affected?  
What is the volume of personal data affected?  
How easy is it to identify data subjects from the personal data?  
What is the number of affected data subjects?  
Any other relevant information or comments:  
Taking the above into account, is there a legal obligation to notify the ICO?  
Notifying affected data subjects  
Is there a legal or contractual obligation to notify affected data subjects?  
If there is no legal or contractual obligation, should affected data subjects be notified anyway? Consider whether it will help them to know or whether there is a danger of over-notifying.  
What is the best way to notify affected data subjects?  
Do any data subjects, or categories of data subjects, need to be treated with care because of their special characteristics?  
What additional information should be provided to data subjects about what they can do to limit the damage?  
How should affected data subjects contact the Company for further information or advice and how will we manage such responses?  
How will we keep a record of who has been notified?  
Any other relevant information or comments:  
Is there any legal or contractual requirement to notify any other parties?  
Response  
What security measures were in place when the breach occurred?  
What further measures have been, or are to be, put in place to address the breach and mitigate its possible adverse effects?

Please also outline the timetable for any measures that have not yet been taken.

 
What further technical or organisational measures are to be put in place to prevent the breach happening again?  
Does further staff training on data protection awareness need to be conducted?  
Is it necessary to conduct a privacy risk assessment?  
Any other comments:  
Approval of response plan  
Name:  
Job title:  
Date:  
Signature:  

 

Examples of personal data breaches and who to notify

The following non-exhaustive examples will assist the data breach team in determining whether they need to notify in different personal data breach scenarios. These examples may also help to distinguish between risk and high risk to the rights and freedoms of data subjects.
 

Example Notify the ICO? Notify data subjects? Notes
The Company stored a backup of an archive of personal data encrypted on a CD and the CD is stolen during a burglary No No As long as the personal data are encrypted with a state-of-the-art algorithm, backups of the data exist, and the unique key is not compromised, this may not be a reportable breach. However, if it is later compromised, notification is required
Personal data are exfiltrated from a secure website managed by the Company during a cyber-attack Yes, if there are potential consequences to individuals Yes, depending on the nature of the personal data affected and if the severity of the potential consequences to data subjects is high If the risk is not high, the Company can still notify data subjects, depending on the circumstances of the case
A brief power outage lasting several minutes means that clients are unable to call the Company and access their records No No This is not a notifiable personal data breach, but it is still a recordable incident
The Company suffers a ransomware attack which results in all personal data being encrypted, no backups are available and the personal data cannot be restored

On investigation, it becomes clear that the ransomware’s only functionality was to encrypt the personal data, and that there was no other malware present in the system

Yes, if there are potential consequences to individuals as this is a loss of availability Yes, depending on the nature of the personal data affected and the possible effect of the lack of availability of the personal data, as well as other likely consequences If there was a backup available and personal data could be restored in good time, this would not need to be reported to the ICO or to data subjects as there would have been no permanent loss of availability or confidentiality
An employee reports that they have received a monthly payslip for another employee and a short investigation reveals that it is a systemic flaw and other employees may be affected Yes Only if there is high risk If, after further investigation, it is identified that more employees are affected, an update to the ICO must be made and the Company must take the additional step of notifying those other data subjects if there is high risk to them
The Company’s website suffers a cyber-attack and customers’ login usernames, passwords and purchase history are published online by the attacker Yes Yes, as could lead to high risk The Company should take action, e.g. by forcing password resets of the affected accounts, as well as other steps to mitigate the risk
Clients’ personal data are mistakenly sent to the wrong mailing list Yes Yes, depending on the scope and type of personal data involved and the severity of possible consequences  
A direct marketing e-mail is sent to recipients in the “to:” or “cc:” fields, thereby enabling each recipient to see the e-mail address of other recipients Yes, notifying may be obligatory if a large number of individuals are affected, if sensitive personal data are revealed or if other factors present high risks, e.g. the e-mail contains passwords Yes, depending on the scope and type of personal data involved and the severity of possible consequences Notification may not be necessary if no sensitive personal data is revealed and if only a minor number of e-mail addresses are revealed

 


Our all Data Protection Documents: