Data Breach Policy

Confidentiality Statement

This policy contains information confidential and proprietary Hennok SARL and its Websites. This document contains information that is confidential or otherwise protected from disclosure and shall not be disclosed without prior approval.

Document version control

The document owner is Ibrahima Diawara

Date Current Version Comment Next review date Author Status
22/08/2018 1 Policy created ID Approved

 

Document history control

Date Version Comment Author Approver Status
22/08/2018 1 Policy created  ID Approved

 

Contacts

Name Role Company Contact
Ibrahima Diawara Manager Hennok gdpr@hennoksarl.com

 

Definitions

 “Data Breach incident(s)” means any personal data breach which causes losses or destruction to personal data and compromises Confidentiality, Availability and Integrity in accordance with the Information Security Policy.

“ICO” means the information commissioner’s office.

“Personal Data, Data Controller, Data Subjects” as defined under the data privacy law GDPR.

1.  Introduction

This policy provides a guidance to Hennok SARL, in dealing with, reporting or containing Data Breach incidents. This policy applies to all employees, contractors, associates and third parties across the business.

2.  Reporting Data Breach incidents in the business

Employees, contractors, third parties and Data Processors should report a Data Breach incident to Hennok SARL, (as Data Controller) as soon as practicable, even where the breach is outside of normal hours of business operation.

The Data Controller is / are : Ibrahima Diawara

The telephone number for reporting any breach is : +224 623 208 535

Breaches must also be reported by email to : gdpr@hennoksarl.com

3.  Reporting Data Breach Incident to the ICO

A Data Breach incident must be reported to ICO within seventy-two (72) hours by the Data Controller. If there are going to be delays the ICO must be notified of delays.

4.  Dealing with a data breach incident

  1. Employees discovering the Data Breach incident should report the incident.
  2. Identify the data breach issue. Some questions to think about are what caused the data breach? How many customers are impacted? Which type of personal data is impacted? What can be done to limit and contain the breach, e.g. via encryption or remote access.  This should be highlighted in the report to the Data Controller.
  3. Create a data reach incident report this is to be created and updated until completion and closure of the incident as per Appendix1 below.
  4. Management will agree the next steps with the employees and the potential fix along with time frames likely to be adopted. The management will identify the business risk following the data breach.
  5. The Data Controller will agree with the management any responses before being such responses are released to customers or Data Subjects.
  6. All incident closure reports will capture lessons learnt, and improvements to be put in place, subject to guidance from the operating unit and management as well as the designated Data Controller.
  7. Notification of the parties impacted will be completed under the direction of the Data Controller.

5.  Privilege

Ensure that any legal advice (legal advice privilege) including documents and documents prepared for courts (litigation privilege) are not subject to disclosure related to a breach.

 

Appendix 1 – Data breach incident report –Internal

 

Date of the Data Breach incident:
Reported by:
Number of Personal Data records affected
Number of customers potentially impacted (plus actual if known)
Other stakeholders impacted
Risk of impacts
Likelihood of impact

 

Data Breach Incident background Information

 

Data Breach Incident investigation and steps taken

Systems and Records

 

Nature of Breach

 

Physical Breach

 

 

Observed/Known Impact

 

Monitoring in place:  Yes/No/Methods

 

Communication Plan Recommendations:

 

 

 

 

 

Data Breach Incident solution

Root cause of breach

 

Who is responsible for the breach?

 

Could the breach have been avoided?

 

 

 

 

Other information

Customer notified ICO notified
Data subjects notified Management agree solution
EnglishFrench