Lavish Alice Retail Limited Data Breach Policy
...
This policy applies to Lavish Alice Retail Limited whose registered office is at Unit 33 Irlam Business Centre, Soapstone Way, Manchester, M44 6RA, referred to in this policy as the Company. This policy reflects the Company’s obligations and duties under the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (Legislation).
The policy is effective from 01/01/2024 and applies to all of the Company’s directors, employees, consultants, volunteers, and those working on a temporary basis or through an agency.
This Breach Policy is to be read in conjunction with the Company’s Data Protection Policy. The definitions of Company and Legislation are as set out in that Policy.
...
A breach of the Legislation occurs if there is a breach of security of data which leads to;
(i) accidental or unlawful destruction of;
(ii) loss of;
(iii) alteration of;
(iv) unauthorised disclosure or access to:
Any Data.
...
The Company and all employees have an ongoing obligation to comply with the Legislation. In the event that an employee should find that there has been a breach of the Legislation, or suspect that a breach of the Legislation may or is likely to have occurred, whether as a result of their own actions or the actions of someone else (including someone outside the Company), or any of the Company’s data processors, a report must be made immediately and in any event within 24 hours of discovery to the Data Compliance Manager and to the Deputy Data Compliance Manager.
...
All employees are obliged to make such report and to cooperate in providing any information that may be required by the Data Compliance Manager (and / or the Deputy) in order that they may deal with the breach / anticipated breach. It is vital that this report is made immediately as the Data Compliance Manager may need to inform the individual or individuals affected by the breach to protect their interests and also the Information Commissioner’s Office (ICO) in line with the requirements of the Legislation. If the matter needs to be reported to the ICO the Company must do so within 72 hours of the time of discovery (which includes weekends and bank holidays).
...
In addition, should any individual allege that they are concerned that there is or may have been a breach of the Legislation, the employee must report immediately and in any event within 24 hours to the Data Compliance Manager and Deputy Data ComplianceManager.
...
In the event of notification of a breach of the Legislation by a third party, or if such an allegation is made, the employee should not make any admission but acknowledge receipt and advise that the matter will be referred to the Data Compliance Manager.
...
If the breach is serious, and relates to the security of data, which is also likely to result in a risk to an individual’s rights and freedoms, the Data Compliance Manager or in their absence or if unavailable the Deputy Data Compliance Manager should be contacted by telephone in the first instance immediately to advise that a breach has occurred.
...
Upon receipt of a report, the Data Compliance Manager their Deputy or others enlisted if necessary will give consideration to the matter raised, may request further information, and will decide whether the issue should be reported to the ICO. In doing so, they will consider the likelihood and severity of the resulting risk to the individual’s or individuals’ rights and freedoms. If that risk is identified, then the Data Compliance Manager (or the Deputy Data Compliance Manager) will notify the ICO within 72 hours.
...
They will also consider whether the individual/s affected should be notified of the breach. They will consider whether the rights and freedoms of the individual/s have been affected, the extent of the same, and the general affect of the breach, before deciding whether to inform them. If the decision is made to inform, the Data Compliance Manager (or the Deputy Data Compliance Manager) will do so as soon as possible but in any event within 72 hours.
...
The Data Compliance Manager (or the Deputy Data Compliance Manager) will document the decision making process, and the reason a decision has been reached, electronically.
...
Whether the breach is reported or not, and whether the individual/s affected are informed, the details will be fully documented and retained by the Data Compliance Manager and a report logged in the Company’s Breach Register.
...
The Data Compliance Manager is responsible for creating, and maintaining, the Company’s Breach Register. The Breach Register will be regularly reviewed by the board of directors in particular to establish whether there are any trends in the nature of breaches which need to be addressed and what procedures should be put in place to limit the extent of future breaches.
...
If there is a large scale breach caused by the Company’s computer systems being hacked or as a result of any malicious or targeted attack affecting the personal data held by the Company, the Data Compliance Manager will refer the matter to the board of directors as soon as possible, and they will determine what action to take, which may include but not be limited to;
(i) informing those whose data is affected;
(ii) how they will be informed;
(iii) what protection measures are to be put in place internally both in the immediate aftermath and subsequently (particularly to prevent future attacks);
(iv) what support should be given by the Company to those affected;
(v) informing the Police and Action Fraud.
...
Last Policy Update: 25/10/2024 by Matthew Newton.