Data Breach Policy

Gary Bury
Gary Bury
Last updated 

What is a data breach?

We are talking about where any personal data is lost, destroyed, corrupted, accessed or disclosed where it shouldn't be. This includes if personal data is made unavailable (for example by a hacker encrypting it or Timetastic going down) and the unavailability having a significant negative effect on individuals.

All hands on deck

If you even suspect a data breach you must inform a Director immediately. This is a stop what-we-are-doing, all-hands-on-deck situation. It becomes number one priority.

A director will lead the team and be responsible for deciding if there has been a breach and decide what steps to take next. You'll be needed to help with any containment or risk assessment steps below.

How we handle a data breach

The following is a general policy to actions we'll take if we suspect or confirm a data breach:

1. Containment:

The immediate priorities are:
  • Contain the breach
  • Limit the scope
  • Where you become aware that personal data has been sent to someone not authorised to see it we may need to inform them, ask them to delete the data and remind them that if they share or disclose it then they too might be in breach of data protection laws.

2. Risk Assessment

If we find a personal data breach, we need to assess the potential adverse consequences for the people whose personal data is involved, how serious or substantial these are and how likely they are to happen.

When assessing the risk, we'll consider the following questions:
  • What type of data is involved?  
  • How sensitive is it?
  • Are there any protections in place such as encryption? 
  • What has happened to the data?
  • If the data has been stolen, could it be used for purposes which are harmful to the people to who's data has been leaked?
  • How many individuals’ personal data is affected?
  • Who are the people whose data has been breached?
  • Are they staff, customers, clients or suppliers?
  • What harm can come to those individuals because of the breach?
  • Are there risks to physical safety or reputation?
  • Is there risk of financial loss to either Timetastic or the individuals concerned?
  • Are there consequences to consider such as a risk to public health or loss of public confidence in a service?
  • Is there a risk of reputation damage to Timetastic?
  • Is there anything we can do to recover any losses and limit the damage the breach could potentially cause?

Notifying, customers, users, ICO

The Directors will investigate if the breach falls under the ICO guidance for reporting at that time. And prepare and submit the necessary reports. Under current guidance it  will be without undue delay, but certainly no later than 72 hours after discovery.

As we are a data processor it might be that we need to notify the data controllers (our customers) as soon as possible.

We'll use the risk assessment to get a handle on the severity of the breach and if it's a high risk then we may need to advise the affected users as soon as possible, especially if there is a need to mitigate an immediate risk of damage to them.

Third parties
We'll need consider if we need to notify and third parties such as the police, insurers, professional bodies, bank or credit card companies.

Document our decisions

At every step of the way we'll keep a document of our findings and decisions, even if it doesn't turn out to be a reportable breach.

We have a data security incident reporting form that will need completing by a Director or senir member of staff: Data security incident report form  - GDPR