DATA BREACH POLICY

​Data Breach Policy
 

Data security breaches are increasingly more common occurrences whether these are caused through human error or via malicious intent. As technology trends change and the creation of data and information grows, there are more emerging ways by which data can be breached. Global Protection Gateway  needs to have in place a robust and systematic process for responding to any reported data security breach, to ensure we can act responsibly and protect its information assets as far as possible.

Policy Owner. The group policy owner for this policy is Carl WIleman
 

Aim
 

The aim of this policy is to standardise the Global Protection Gateway  response to any reported data breach incident and ensure that they are appropriately logged and managed in accordance with our best practice guidelines.
By adopting a standardised consistent approach to all reported incidents, it aims to ensure that:

  • Incidents are reported in a timely manner and can be properly investigated

  • Incidents are handled by appropriately authorised and skilled personnel

  • Appropriate levels of Global4 Trade management are involved in response management

  • Incidents are recorded and documented

  • The impact of the incidents are understood and action is taken to prevent further damage

  • Evidence is gathered, recorded and maintained in a form that will withstand internal and external scrutiny

  • External bodies or data subjects are informed as required

  • The incidents are dealt with in a timely manner and normal operations restored

  • The incidents are reviewed to identify improvements in policies and procedures.

Definition
A data security breach is considered to be “any loss of, or unauthorised access to, PFP data”. Examples of data security breaches may include:

  • Loss or theft of data or equipment on which data is stored

  • Unauthorised access to confidential or highly confidential Global4 Trade data

  • Equipment failure

  • Human error

  • Unforeseen circumstances such as a fire or flood

  • Hacking attack

  • ‘Blagging’ offences where information is obtained by deceit

For the purpose of this policy data security breaches include both confirmed and suspected incidents.

 

Scope


This Global Protection Gateway policy applies to all information we hold, regardless of format, and is applicable to all staff, visitors, contractors, consultants and data processors acting on behalf of Global Protection Gateway It is to be read in conjunction with the Global Protection Gateway Data Protection Policy and any other relevant documentation.

Responsibilities


Information users: –
All information users are responsible for reporting actual, suspected, threatened or potential information security incidents and for assisting with investigations as required, particularly if urgent action must be taken to prevent further damage.

Supervisors
Supervisors are responsible for ensuring that staff in their area act in compliance with this policy and assist with investigations as required.

Data Protection Officer: –
The Data Protection Officer will be responsible for overseeing management of the breach in accordance with the Data Breach Plan. Suitable delegation may be appropriate in some circumstances.

Contact Details: –
In the event that the MD or DPO need to be contacted, Carl WIleman  can be contacted via our contact form.


Data Classification


Data security breaches will vary in impact and risk depending on the content and quantity of the data involved, therefore it is important that PFP is able to quickly identify the classification of the data and respond to all reported incidents in a timely and thorough manner.

All reported incidents will need to include the appropriate data classification in order for assessment of risk to be conducted. Data classification referred to in this policy means the following approved Global Protection Gateway  Data Categories: –

Public Data:
Information intended for public use, or information which can be made public without any negative impact for Global Protection Gateway

Internal Data:
Information regarding the day-to-day business and operations of PFP. Primarily for staff, though some information may be useful to third parties who work with Global4 Trade

Confidential Data:
Information of a more sensitive nature for the business and operations of Global4 Trade , representing the basic intellectual capital and knowledge. Access should be limited to only those people that need to know as part of their role within Global4 Trade .

Highly Confidential Data:
Information that, if released, will cause significant damage to Global4 Trade ’s business activities or reputation, or would lead to breach of the data Protection Act. Access to this information should be highly restricted.
Data Security Breach Reporting
Confirmed or suspected data security breaches should be reported promptly to admin on our contact form.   The report should include full and accurate details of the incident including who is reporting the incident and what classification of data is involved. Where possible the Data Breach Report form should be completed as part of the reporting process along with the Data Breach Log.
Once a data breach has been reported an initial assessment will be made to establish the severity of the breach and how it should be handled.
All data security breaches will be centrally logged in the Data Breach Log to ensure appropriate oversight in the types and frequency of confirmed incidents for management and reporting purposes.

 

Data Breach Management Plan

The management response to any reported data security breach will involve the following four elements. See below for suggested checklist.

  1. Containment and Recovery

  2. Assessment of Risks

  3. Consideration of Further Notification

  4. Evaluation and Response

Each of these four elements will need to be conducted in accordance with the checklist for Data Security Breaches. A Data Breach Log recording the timeline of the incident management should also be completed.

Authority
Staff, contractors, consultants, visitors and guests who act in breach of this policy, or who do not act to implement it, may be subject to disciplinary procedures or other appropriate sanctions.

Review
The DPO will monitor the effectiveness of this policy and carry out regular reviews of all reported breaches.
References

Information Commissioner:
https://ico.org.uk/media/for-organisations/documents/1562/guidance_on_data_security_breach_management.pdf

Evaluation of Incident Severity
The severity of the incident will be assessed per standard IS Incident Management Process (by this the DPO). All breaches of data protection will be reported immediately to the DPO for assessment.

Assessment would be made based upon the following criteria:

  1. Major or critical breaches of data security – such as loss of over 1,000 data items,  Issues involving external third parties, likely media coverage, requiring immediate response.

  2. Moderately critical beaches of data security –  such as loss of data items between 100 and 999, Incidents not requiring  immediate response.

  3. Low or minor breaches of data security  –  such as   Internal or Confidential Data, low number of individuals, small inconvenience to data subjects

 

Data Breach Action Checklists

  1. Containment and Recovery

  2. Assessment of Risks

  3. Consideration of Further Notification

  4. Evaluation and Response

 

Reporting


The DPO will first access the severity of the breach and report if necessary to the ICO within 2 working days of becoming aware of the breach.