Data Breach Policy


 “Data Breach incident(s)” means any personal data breach which causes losses or destruction to personal data and compromises Confidentiality, Availability and Integrity in accordance with the Information Security Policy.

“ICO” means the information commissioner’s office.

“Personal Data, Data Controller, Data Subjects” as defined under the data privacy law GDPR.

1.  Introduction

This policy provides a guidance to Hennok SARL, in dealing with, reporting or containing Data Breach incidents. This policy applies to all employees, contractors, associates and third parties across the business.

2.  Reporting Data Breach incidents in the business

Employees, contractors, third parties and Data Processors should report a Data Breach incident to Hennok SARL, (as Data Controller) as soon as practicable, even where the breach is outside of normal hours of business operation.

The Data Controller is / are : Ibrahima Diawara

The telephone number for reporting any breach is : +224 623 208 535

Breaches must also be reported by email to :

3.  Reporting Data Breach Incident to the ICO

A Data Breach incident must be reported to ICO within seventy-two (72) hours by the Data Controller. If there are going to be delays the ICO must be notified of delays.

4.  Dealing with a data breach incident

  1. Employees discovering the Data Breach incident should report the incident.
  2. Identify the data breach issue. Some questions to think about are what caused the data breach? How many customers are impacted? Which type of personal data is impacted? What can be done to limit and contain the breach, e.g. via encryption or remote access.  This should be highlighted in the report to the Data Controller.
  3. Create a data reach incident report this is to be created and updated until completion and closure of the incident as per Appendix1 below.
  4. Management will agree the next steps with the employees and the potential fix along with time frames likely to be adopted. The management will identify the business risk following the data breach.
  5. The Data Controller will agree with the management any responses before being such responses are released to customers or Data Subjects.
  6. All incident closure reports will capture lessons learnt, and improvements to be put in place, subject to guidance from the operating unit and management as well as the designated Data Controller.
  7. Notification of the parties impacted will be completed under the direction of the Data Controller.

5.  Privilege

Ensure that any legal advice (legal advice privilege) including documents and documents prepared for courts (litigation privilege) are not subject to disclosure related to a breach.


Appendix 1 – Data breach incident report –Internal


Date of the Data Breach incident:
Reported by:
Number of Personal Data records affected
Number of customers potentially impacted (plus actual if known)
Other stakeholders impacted
Risk of impacts
Likelihood of impact


Data Breach Incident background Information


Data Breach Incident investigation and steps taken

Systems and Records


Nature of Breach


Physical Breach



Observed/Known Impact


Monitoring in place:  Yes/No/Methods


Communication Plan Recommendations:






Data Breach Incident solution

Root cause of breach


Who is responsible for the breach?


Could the breach have been avoided?





Other information

Customer notified ICO notified
Data subjects notified Management agree solution
English French