General Data Protection Regulation (GDPR) – Breaches Policy

Under GDPR there is a duty on all organisations to report certain types of data breach to the relevant supervisory authority and in some instances the individuals affected.

Definition:

A personal data breach is a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

It should be noted that a data breach is much more than losing personal data.

Breach Identification:

It is important that all staff understand what constitutes a data breach.  With this in mind training on GDPR including information on data breaches will be provided to all staff and Directors every 24 months.  It is the responsibility of staff and Directors s to record training in their training logs.

Breaches are often a result of human error or by a failure to follow data protection procedures correctly.  It is important that any potential breach is identified in order that future events can be avoided.

Actual breaches must be brought to your Line Manager’s attention immediately in order that correct breach notification procedures can be followed.

Every employee is responsible for identifying a potential data breach.  If in any doubt the matter should be referred to / discussed with their Line Manager.

Insurance2day Insurance Services Ltd monitor data being sent electronically.

We have installed a fire wall to prevent unauthorised external access to our electronic data.  Any attempted breach of security is identified.

If a breach is identified it should be reported to your Line Manager and internal breach reporting procedures followed.

Breach Reporting Procedures:

Emma Robinson is the data protection champion and should be advised of any breaches as soon as they are identified.

Breach Notification:

Firms need to notify the relevant supervisory authority of a breach where it is likely to result in a risk to the rights and freedoms of individuals.  In our instance this is the Information Commissioners Office (ICO).

If unaddressed such a breach is likely to have a significant detrimental effect on individuals for example, result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.

Each breach will need to be assessed thoroughly.

Where a breach is likely to result in a high risk to the rights and freedoms of individuals we must also notify the individuals concerned as well as the ICO.

Information to be included in a breach notification:

The following information should be provided:

– The nature of the personal breach including where possible:

  • The categories and approximate number of individuals concerned and
  • The categories and approximate number of personal data records concerned

– The name and contact details of the data protection champion

– A description of the likely consequences of the personal data breach and

– A description of the measures taken or proposed to be taken to deal with the personal data breach and, where appropriate, of the measures taken to mitigate any possible adverse affects.

How to notify a breach:

In the first instance the breach should be reported to your Line Manager who will advise the Director responsible for Breach Reporting.

It will be the responsibility of the Director responsible for Beach Reporting to notify the PI Insurers if considered necessary.

A notifiable breach should be reported to the ICO within 72 hours of becoming aware of it.  The breach notification form found on the ICO website should be used.

The ICO recognises that it will be impossible to investigate a breach fully within 72 hours and allows preliminary information to be provided with additional information being added later.

If the breach is serious enough to warrant notification to the public, we must do so without undue delay.

Failing to notify a breach when required to do so can result in a significant fine of up to 10 Million Euros or 2 percent of our global turnover.

Once the breach has been fully investigated due consideration must be given to the root cause and whether a similar situation could occur in the future.  If necessary procedures / practices should be amended to prevent reoccurrence.

Once the matter is concluded all senior management involved should be updated with relevant correspondence and with any final decision

Complete the form below for details of our Cyber/GDPR data breach insurance solution

Fields marked with an * are required

Please answer the following 5 QUESTIONS:

4. Please carefully review the Eligibility Criteria below and advise if you do not agree with ALL of the statements

- Your company has been in operation for more than 24 months
- USA revenues are less than 25% of the overall revenue
- Revenues from online or automated platforms account for less than 25%
- Revenues from credit card transactions account for less than 25%
- If you handle credit card transactions, you are compliant with the data security standard of PCI (the Payment Card Industry Data Security Standard)
- You don’t use SCADA (Supervisory Control & Data Acquisition) or similar process control software
- You have not sustained any losses or has not been subject to any claims in the past 5 years which would be covered under the proposed insurance.
- There are no acts, errors, omissions, circumstances, facts, situations, events, incidents or transactions which you aware of, or ought reasonably to have been aware of, that may give rise to a claim or loss under the proposed insurance.
- All material facts have been disclosed.

Disclaimer

The purpose of this overview is to provide a summary of our interpretation of aspects of the GDPR regulations. This is not an analysis of the law and does not constitute a legal opinion or advice by Insurance2day Insurance Services Ltd. The contents of this overview, or any downloads, should not be relied upon – all companies need to take their own specialist qualified legal advice on any matter that relates to GDPR.