Data Breach Response Plan
1.1 1StopOrders has implemented appropriate technical and organisations measures to avoid data security breaches. However, in the event that a data security breach happens, we recognise that is important that 1StopOrders is able to detect it and react swiftly and robustly in order to mitigate any risks to data subjects and to comply with our obligations under the General Data Protection Regulation (‘GDPR’).
1.2 This Data Breach Response Plan sets out how we will respond to any suspected or actual data breaches and should be read alongside our Data Protection Policy .
1.3 The GDPR requires 1StopOrders to report ‘notifiable breaches’ without undue delay and, where feasible, not later than 72 hours after having become aware of it. Notification of a breach is required unless it is unlikely to result in a risk to the rights and freedoms of individuals. In the event that a report is not made within 72 hours, 1StopOrders is required to provide the reasons for the delay in reporting it to the ICO.
1.4 If there is deemed to be a “high risk” to the rights and freedoms of individuals following a data breach, 1StopOrders is also required to notify the individuals affected by the breach. However, in the interests of transparency, 1StopOrders recognise that on some occasions it will be appropriate to notify affected individuals, even if we are not legally obliged to do so.
1.5 If 1StopOrders fails to report a notifiable personal data breach, we are at risk of receiving a sanction from the ICO, which may include a fine. Aside from our desire to avoid receiving any sanctions, the purpose of this Data Breach Response Plan is to ensure
that we protect the Personal Data of our stakeholders and minimise any risks to them following a breach.
1.6 1StopOrders will ensure that staff are aware of and are trained on this Data Breach Response Plan to ensure it is effective should a data security incident occur.
1.7 We rely on our staff to be alert to the risk of data security breaches and to follow the procedures set out in this Data Breach Response Plan to ensure that we can react promptly in the event that a breach or suspected breach occurs. Any member of staff who becomes aware of a suspected or actual personal data breach must follow the escalation procedures set out below. Failure to comply with these procedures may be a disciplinary issue.
1.8 1StopOrders’s DPO is Patrick Strassen.
2. What is a personal data breach?
2.1 The legal definition of a personal data breach is, “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
2.2 A data security breach covers more than the simple misappropriation of data and may occur through incidents, such as:
2.2.1 Loss or theft of data or equipment;
2.2.2 People gaining inappropriate access to personal data;
2.2.3 A deliberate attack on systems;
2.2.4 Equipment failure;
2.2.5 Human error;
2.2.6 Acts of God (for example, fire or flood);
2.2.7 Malicious acts such as hacking, viruses or deception.
2.3 Breaches can be categorised according to the following three well-known information security principles:
2.3.1 “Confidentiality breach” - where there is an unauthorised or accidental disclosure of, or access to, personal data;
2.3.2 “Integrity breach” - where there is an unauthorised or accidental alteration of personal data;
2.3.3 “Availability breach” - where there is an accidental or unauthorised loss of access to, or destruction of, personal data.
2.4 Depending on the circumstances, a breach can relate to the confidentiality, integrity and availability of personal data at the same time, as well as any combination of these.
2.5 A breach will always be regarded as an availability breach when there has been a permanent loss of, or destruction of, personal data.
2.6 A security incident resulting in personal data being made unavailable for temporary period is also a type of breach, as the lack of access to the data could have a significant impact on the rights and freedoms of data subjects. This type of breach should be recorded in 1StopOrders’s Data Breach Log. However, depending on the circumstances of the breach, it may or may not require notification to the ICO and communication to affected individuals.
2.7 Where personal data is unavailable due to planned system maintenance being carried out, this should not be regarded as a ‘breach of security’.
3. Understanding the risk to the rights and freedoms of individuals
3.1 A breach can potentially have a number of consequences for individuals, which can result in physical, material, or non-material damage. This can include loss of control over their personal data, limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, and loss of confidentiality of personal data protected by professional secrecy. It can also include any other significant economic or social disadvantage to those individuals.
3.2 When assessing the risk to individuals, the DPO must consider the following factors:
3.2.1 the type of breach;
3.2.2 the nature, sensitivity, and volume of personal data;
3.2.3 ease of identification of individuals;
3.2.4 severity of consequences for individuals;
3.2.5 special characteristics of the individual;
3.2.6 special characteristics of the data controller; and
3.2.7 the number of affected individuals.
4. Timescales for reporting a breach
4.1 1StopOrders is required to report a notifiable breach without undue delay and, where feasible, not later than 72 hours after having become aware of it.
4.2 It is likely that 1StopOrders will be deemed as having become “aware” of a breach when we have a reasonable degree of certainty that a security incident has occurred which has led to personal data being compromised. The GDPR expects us to ascertain
whether all appropriate technological protection and organisational measures have been implemented to establish immediately whether a personal data breach has taken place. This puts an obligation on us to ensure that we will be “aware” of any breaches in a timely manner so that we can take appropriate action.
4.3 While some breaches may be obvious, in other cases we may need to establish whether personal data has been compromised. In such circumstances, we will investigate promptly in accordance with the procedures below to determine whether a breach has happened which, in turn, will enable us to decide if remedial action is needed and if the breach needs to be notified to the ICO and the affected data subjects.
4.4 It is possible that we may not have established all of the relevant facts following a data security breach or completed our investigation within 72 hours. However, in the event that 1StopOrders determines that a breach has taken place and that it needs to be notified to the ICO, a report should be made within 72 hours with the information held at that point in time. In these circumstances, the report to the ICO should explain that further information will be provided as and when it is available.
4.5 It is possible that some breaches may come to the attention of a member of staff or may be flagged up by our IT systems. However, it is also possible that we may be notified about breaches by third parties, such as the people who are affected by the breach, a data processor or by the media.
4.6 In the event that we investigate a suspected breach and we are able to establish that no actual breach has occurred, the Data Breach Log must still be completed so that we can keep records of ‘near misses’ or other weaknesses in our systems and
procedures in order to continuously review and improve our processes.
5. Response plan
5.1 A member of staff within 1StopOrders who becomes aware of a suspected or actual data security breach must inform the DPO by email without delay. The email address for contacting the DPO is email@example.com and the email account should be regularly reviewed by the DPO.
5.2 If a member of staff is unsure if a breach has happened, the above procedures must still be followed without delay so that the suspected breach can be investigated in order to establish whether a breach has happened and, if so, whether it needs to be notified to the ICO or the data subjects.
5.3 Where possible, the Data Breach Log must be completed with as much information as possible and emailed to the DPO and copied to the people listed in Step
5.1. However, if it is not convenient or practicable to complete the Data Breach Log, the report can be made by setting the information out in an email.
5.4 Once a breach or suspected breach has been reported to the DPO, the DPO must commence an investigation and assess whether he / she has sufficient information to identify next steps. The purpose of the investigation is to:
5.4.1 establish if a breach has happened;
5.4.2 establish the nature and cause of the breach;
5.4.3 establish the extent of the damage or harm that results or could result from the breach;
5.4.4 identify the action required to stop the data security breach from continuing or recurring; and
5.4.5 mitigate any risk of harm that may continue to result from the breach.
5.5 The DPO should contact the member of staff who made the report if further information is required.
5.6 If the DPO is unavailable for any reason, for example, the DPO is on annual leave, on sickness absence or is otherwise not available to respond to the data breach, then the Deputy DPO must fulfil the responsibilities of the DPO set out in this Data Breach Response Plan. The Deputy DPO must have access to the email account identified above to which data breaches are reported.
5.7 The DPO should consider whether input is required from 1StopOrders’s IT Team in order to further investigate the incident, including the extent of the incident and whether any steps need to be taken to contain any breach.
5.8 Depending on the circumstances, the DPO should also consider whether 1StopOrders’s insurers should be notified in accordance with policy terms, whether legal advice is required and if the incident needs to be reported to the Police and the Local Authority.
The DPO should also consider if specialist IT support is required in order to contain and manage a breach. It is likely that we will need to communicate internally and / or externally with our stakeholders regarding the breach or suspected breach.
5.9 If the breach or suspected breach has occurred at one of our Data Processors, the DPO must liaise with the Data Processor to obtain as much information as possible about the extent of the breach or suspected breach and any steps being taken to mitigate any risk to data subjects. It remains 1StopOrders’s responsibility to decide whether to report any such breach to the ICO within 72 hours.
5.10 The same requirement applies if the breach or suspected breach is reported to us by a joint Data Controller though in this case we need to establish with the joint Data Controller who is going to report the breach to the ICO and the data subjects if such notification is required.
5.11 Depending on the timescales as to when a member of staff originally became aware of a breach, the DPO must be mindful of the requirement to notify the ICO without delay and within 72 hours unless it is unlikely to result in a risk to the rights and freedoms of individuals. As stated above, it is therefore possible that a data security breach may need to be reported to the ICO before 1StopOrders has fully investigated or contained the breach. A report to the ICO must contain the following information:
5.11.1 the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned;
5.11.2 the name and contact details of the DPO or other contact point where more information can be obtained;
5.11.3 the likely consequences of the personal data breach;
5.11.4 the measures taken or proposed to be taken by 1StopOrders to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
5.12 The DPO is not required to provide precise details in the report to the ICO if this information is not available and an updated report can be made as and when further details come to light. Such further information may be provided in phases without undue further delay. The DPO should inform the ICO if 1StopOrders does not yet have all the required information and if further details will be provided later on.
5.13 If a follow-up investigation uncovers evidence that the security incident was contained and no breach actually occurred, this information could then be added to the information already given to the ICO and the incident recorded accordingly as not being a breach. There is no penalty for reporting an incident that ultimately transpires not to be a breach.
5.14 In the event that a notifiable breach is not reported to the ICO within 72 hours, a report should be made without delay with the reasons for the delay.
5.15 If the DPO concludes that a referral to the ICO is required and also concludes that there is likely to be a high risk to the rights and freedoms of individuals resulting from the data security breach then the data subjects affected by the breach must also be notified without undue delay. The DPO must liaise with the Directors in relation to how the issue should be communicated to the relevant stakeholders. The DPO will need to consider which is the most appropriate way to notify affected data subjects, bearing in mind the security of the medium as well as the urgency of the situation. The notice to the affected individuals should contain the following information:
5.15.1 description of the nature of the breach;
5.15.2 the name and contact details of the DPO or other contact point;
5.15.3 a description of the likely consequences of the breach; and
5.15.4 a description of the measures taken or proposed to be taken by 1StopOrders to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.
5.16 If the DPO decides to notify data subjects about a breach, the notification should at the very least include a description of how and when the breach occurred and what data was involved. Details of what the organisation has already done to respond to the risks posed by the breach should also be included. 1StopOrders should also, where appropriate, provide specific advice to individuals to protect themselves from possible adverse consequences of the breach, such as resetting passwords/licenses in the case where their access credentials have been compromised.
5.17 The DPO must complete the Data Breach Log before making the referral to the ICO and keep it under review as and when further information comes to light.
5.18 In certain circumstances, where justified, and on the advice of law-enforcement authorities, 1StopOrders may delay communicating the breach to the affected individuals until such time as it would not prejudice such investigations. However, data subjects would still need to be promptly informed after this time.
5.19 Even if the DPO initially decides not to communicate the breach to the affected data subjects, the ICO can require us to do so, if it considers the breach is likely to result in a high risk to individuals.
5.20 In the event that the DPO concludes that it is not necessary to refer the breach to the ICO, the DPO must still complete the Data Breach Log and clearly set out the reasons why the DPO is satisfied that a referral is not required. The DPO must keep the decision under review and be prepared to make a referral to the ICO if any circumstances change or if any information comes to light which means that a referral should be made.
5.21 Once the breach has been contained and action taken to stop or mitigate the breach, the DPO must then review the incident and identify any steps which need to be taken in order to prevent a similar breach occurring in future. This may also include whether any disciplinary action is required against any members of staff.
5.22 As part of the review process, the DPO should undertake an audit which should include a review of whether appropriate security policies and procedures were in place and if so, whether they were followed. The audit should include an assessment of any ongoing risks associated with the breach and evaluate 1StopOrders’s response to it and identify any improvements that can be made. The review should also consider the effectiveness of this Data Breach Response Plan and whether any amendments need to be made to it.
5.23 Where security is found not to be appropriate, the DPO should consider what action needs to be taken to raise data protection and security compliance standards and whether any staff training is required.
5.24 Where a data processor caused the breach, the DPO should consider whether adequate contractual obligations were in place to comply with the GDPR and if so, whether the data processor is in breach of contract.
6 Notice of Breach given to Amazon
6.1 Priority over the previous response plan (1 to 5.24) is given to the following, 6.2
6.2 1StopOrders will inform Amazon (via email to firstname.lastname@example.org) within 24 hours of detecting any Security Incidents. 1StopOrders will not notify any regulatory authority, nor any customer, on behalf of Amazon unless Amazon specifically requests in writing that 1StopOrders do so. 1StopOrders understands that Amazon reserves the right to review and approve the form and content of any notification before it is provided to any party, unless such notification is required by law, in which case Amazon reserves the right to review the form and content of any notification before it is provided to any party. 1StopOrders will inform Amazon within 24 hours when their data is being sought in response to legal process or by applicable law.