Data Breach Policy
To ensure your protection, it is important that we have a policy in place to highlight the action we will take should a breach of our personal data policy take place.
‘Breach’ definition
A “personal data breach” is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. Breaches may be accidental or deliberate.
- Destruction means the data no longer exists or no longer exists in a form that is of any
use to the controller/processor - Damage refers to the data being altered, corrupted or is no longer complete
- Loss” means the data may still exist, but control of it or access to it has been lost or it’s no
longer in the possession of those that should have it - Unauthorised or unlawful processing may include disclosure of personal data to (or
access by) recipients who are not authorised to receive (or access) the data, or any other
form of processing which violates the GDPR.
A data breach can result in emotional distress, physical or material damage to the data subject, including loss of control over their personal data, limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, loss of confidentiality and economic or social disadvantage
Detecting the breach
Your personal data will only be used for the purposes for which you have given us permission and will be safely stored. All J+D staff have been thoroughly trained on the use, storage, retention and deletion of personal data.
In order to detect a data breach, we will:
- At the beginning of each project, we will agree with all parties the data being collected, those processing the data and the safeguards in place to ensure this data is handled appropriately
- At the end of each project, we will review the original data process agreement and ask all parties to confirm that no data breach has taken place and that the data will be destroyed in accordance with the agreed destruction timeframe
- Review security systems annually or when significant changes are being made to our IT infrastructure
- USB devices and attaching personal data to emails will no longer be used (unless securely encrypted)
Containing the breach
Should a data breach be observed, then we will take immediate action to ensure the impact of this breach is minimised:
- Understand the source/ reason for the data breach
- Remove the data from its current location (if applicable, depending on the nature of the breach)
- Retrieve the data from where it has been sent (if applicable, depending on the nature of the breach)
- Review the underlying data policy to understand how this breach has occurred and how we can prevent this from happening in the future
Assessing the potential impact of the breach
Once action has been taken to contain the data breach, we will then examine the potential impact of the breach on the data subjects involved. This will include an assessment of the types of data subjects, the personal data involved in the breach, the physical/ emotional/ financial damage the breach could potentially case the data subjects and the likelihood of this happening.
Once this has been assessed, if necessary, we will contact the ICO to let them know if the data breach and for all breaches where the impact is categorised as med-high, then these will also be reported to the data subjects.
- What caused the breach to occur
- The specific details of what happenedThe personal data affected, including the types and numbers of records and individuals
- The consequences and potential consequences of the breach
- Remedial action taken – to deal with breach and mitigate its impact
- Explanation of the decision to notify or not to notify the ICO/ individuals affected
Taking the appropriate action
If necessary, the ICO will be notified of a data breach within 72 hours of the breach being observed (where the breach is considered to have caused/ have the potential to cause damage to the data subjects). This will also contain our assessment as to whether the data subjects in question will also need to be notified (depending on the nature/ impact of the breach).
Contact details and information to provide
Should you have any questions or concerns about our data breach policy, or indeed any general questions or concerns about the wider use and processing of personal data within J+D Consulting, please use the following contact details
Kristian Barker
[email protected]
+44 (0)161 486 5005
J+D Consulting Limited, Landmark House, Station Road, Cheadle Hulme, Cheshire, SK8 7BS
Should you feel that your question or concern has been inadequately handled, you have a right to lodge a complaint with the Information Commissioner’s Office
0303 123 1113 J+D registration reference: ZA320493