QUESTION
Have you come across
any breach policy templates or breach notification contracts with suppliers and
processors that are simple and straightforward by any chance?
SHORT ANSWER
No
LONG ANSWER
This is a really great question. There are a number of
samples and template available on-line and a number of businesses who offer consultancy
and support. In the links section below I have included some potential documents.
However whilst these can be a good starting point be aware
of the following.
It is really important to write something that reflects the
way your organisation works. Moreover the type of breach, circumstances, data
and impact will necessitate very different content. Consider the following as
examples…
Scenario 1 The loss of an encrypted + password protected laptop
that had the name and address of all your members.
Scenario 2 The hacking of your Cloud-IT provider, with the
result that all their customer data (including yours) is now available on-line
to any criminal or hacker. This is made worse by the fact that your data was
not encrypted and included financial, banking and medical details and you never
did any checks on the Cloud-IT provider before you put the data there.
I understand the Jersey Information Commission Office is
looking to develop a system that you can update and which then notifies all the
appropriate agencies, including the JFSC in the case of Financial Institutions.
My understanding is that this is still ”on the drawing board” but it will be
useful to the Information Commission Office
to be able to receive breach notification quickly and efficiently and in a standard
format. Especially given the 72 hour deadline.
BREACH NOTICE PROCESS
I recommend any organisation to start first with a
data-mapping exercise to understand the step-by-step process and who does what,
when, where, how and why.
If having completed the step-by-step process you note any
risks or if the data is “special category data” [race; ethnic origin; politics;
religion; trade union membership; genetics; biometrics; health; sex life; or
sexual orientation].
If necessary you should do a risk assessment (Data
Processing Impact Assessment DPIA) on the possible implications for the data-subject
and the measures necessary to protect them
When you have all this information then you have the basic
information needed to answer a subject-access-request “…what information do you
hold about me and why…” and also compete a breach notification to the regulator
or data-subject “…we have lost personal data, these are the implications, and
this is what we are doing…”
It is sensible to have a rehearsed process and some
pre-prepared statements but as you may appreciate the format and content may
vary significantly depending on circumstances.
BREACH NOTICE
GUIDANCE
You must
report a notifiable breach to the ICO without undue delay, but not later than
72 hours after becoming aware of it. If you take longer than this, you must
give reasons for the delay.When reporting a breach, the GDPR says you must provide:
- a description of the nature of the personal data breach including, where possible:
- the categories and approximate number of individuals concerned; and
- the categories and approximate number of personal data records concerned;
- the name and contact details of the data protection officer (if your organisation has one) or other contact point where more information can be obtained;
- a description of the likely consequences of the personal data breach; and
- a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.
Note that if the information is unintelligible (example
encrypted) then you only have to tell the regulator. If however personal data
has leaked and is legible or usable then you have to tell your data-subject (eg
staff, customer supplier etc.)
PROCESSOR CONTRACTS +
BREACH NOTICE
If you receive data from another organisation and processes
it on their behalf, or your give data to another organisation and they processes
it on your behalf you should have a contract that clearly explains responsibilities,
roles, goals and controls.
Controller
and processor contracts checklist
the subject
matter and duration of the processing;
the nature
and purpose of the processing;
the type of
personal data and categories of data subject;
the
obligations and rights of the controller.
Contracts
include the following terms:
the
processor must only act on the written instructions
the
processor must ensure duty of confidence;
the
processor must ensure the security of processing;
the
processor must only engage a sub-processor with the prior consent of the data
controller
the
processor must assist on subject access
the
processor must assist on data breaches and DPIA
the processor
must delete or return all personal data
the
processor must submit to audits and inspections,
It would be prudent that this includes rehearsed process and
some pre-prepared statements so that both organisations can be co-ordinated and
meet the 72 hour deadline for breach notifications.
LINKS
Breach Notification under existing Data Protection Act
Breach Notification form for existing Data Protection Act
GDPR Personal data breaches
Contracts and liabilities between controllers and processors
GDPR ADVICE FOR LOCAL CHARITIES AND NOT-FOR-PROFIT
I am working with Jersey Community Partnership and
Association of Jersey Charities to possibly set-up a presentation / workshop to
talk about GDPR for local Charities and Not-for-Profit.
In the meantime, for January, I have proposed a useful
approach to help local charities might be if organisations pick a question or
topic and I offer general advice on best approach which we can publish and
share with other charities and not-for-profit organisations.
You can email with your question or topic at timhjrogers@gmail.com
CONTACT
TimHJRogers@AdaptConsultingCompany.Com
+447797762051 Skype: timhjrogers TimHJRogers@gmail.com
No comments:
Post a Comment