Definitions
“Data Breach incident(s)” means any personal data breach which causes losses or destruction to personal data and compromises Confidentiality, Availability and Integrity in accordance with the Information Security Policy.
“ICO” means the information commissioner’s office.
“Personal Data, Data Controller, Data Subjects” as defined under the data privacy law GDPR.
1. Introduction
This policy provides a guidance to Hennok SARL, in dealing with, reporting or containing Data Breach incidents. This policy applies to all employees, contractors, associates and third parties across the business.
2. Reporting Data Breach incidents in the business
Employees, contractors, third parties and Data Processors should report a Data Breach incident to Hennok SARL, (as Data Controller) as soon as practicable, even where the breach is outside of normal hours of business operation.
The Data Controller is / are : Ibrahima Diawara
The telephone number for reporting any breach is : +224 623 208 535
Breaches must also be reported by email to : gdpr@hennoksarl.com
3. Reporting Data Breach Incident to the ICO
A Data Breach incident must be reported to ICO within seventy-two (72) hours by the Data Controller. If there are going to be delays the ICO must be notified of delays.
4. Dealing with a data breach incident
- Employees discovering the Data Breach incident should report the incident.
- Identify the data breach issue. Some questions to think about are what caused the data breach? How many customers are impacted? Which type of personal data is impacted? What can be done to limit and contain the breach, e.g. via encryption or remote access. This should be highlighted in the report to the Data Controller.
- Create a data reach incident report this is to be created and updated until completion and closure of the incident as per Appendix1 below.
- Management will agree the next steps with the employees and the potential fix along with time frames likely to be adopted. The management will identify the business risk following the data breach.
- The Data Controller will agree with the management any responses before being such responses are released to customers or Data Subjects.
- All incident closure reports will capture lessons learnt, and improvements to be put in place, subject to guidance from the operating unit and management as well as the designated Data Controller.
- Notification of the parties impacted will be completed under the direction of the Data Controller.
5. Privilege
Ensure that any legal advice (legal advice privilege) including documents and documents prepared for courts (litigation privilege) are not subject to disclosure related to a breach.
Appendix 1 – Data breach incident report –Internal
Date of the Data Breach incident: | |
Reported by: | |
Number of Personal Data records affected | |
Number of customers potentially impacted (plus actual if known) | |
Other stakeholders impacted | |
Risk of impacts | |
Likelihood of impact |
Data Breach Incident background Information
Data Breach Incident investigation and steps taken
Systems and Records
Nature of Breach
Physical Breach
Observed/Known Impact
Monitoring in place: Yes/No/Methods
Communication Plan Recommendations:
|
Data Breach Incident solution
Root cause of breach
Who is responsible for the breach?
Could the breach have been avoided?
|
Other information
Customer notified | ICO notified | ||
Data subjects notified | Management agree solution |