Data Breach Policy

This policy contains information confidential and proprietary Hennok SARL and its Websites. This document contains information that is confidential or otherwise protected from disclosure and shall not be disclosed without prior approval.

Document version control

The document owner is Ibrahima Diawara

Document history control

Contacts

Definitions

 “Data Breach incident(s)” means any personal data breach which causes losses or destruction to personal data and compromises Confidentiality, Availability and Integrity in accordance with the Information Security Policy.

“ICO” means the information commissioner’s office.

“Personal Data, Data Controller, Data Subjects” as defined under the data privacy law GDPR.

1.  Introduction

This policy provides a guidance to Hennok SARL, in dealing with, reporting or containing Data Breach incidents. This policy applies to all employees, contractors, associates and third parties across the business.

2.  Reporting Data Breach incidents in the business

Employees, contractors, third parties and Data Processors should report a Data Breach incident to Hennok SARL, (as Data Controller) as soon as practicable, even where the breach is outside of normal hours of business operation.

The Data Controller is / are : Ibrahima Diawara

The telephone number for reporting any breach is : +224 623 208 535

Breaches must also be reported by email to : gdpr@hennoksarl.com

3.  Reporting Data Breach Incident to the ICO

A Data Breach incident must be reported to ICO within seventy-two (72) hours by the Data Controller. If there are going to be delays the ICO must be notified of delays.

4.  Dealing with a data breach incident

1. Employees discovering the Data Breach incident should report the incident.
2. Identify the data breach issue. Some questions to think about are what caused the data breach? How many customers are impacted? Which type of personal data is impacted? What can be done to limit and contain the breach, e.g. via encryption or remote access.  This should be highlighted in the report to the Data Controller.
3. Create a data reach incident report this is to be created and updated until completion and closure of the incident as per Appendix1 below.
4. Management will agree the next steps with the employees and the potential fix along with time frames likely to be adopted. The management will identify the business risk following the data breach.
5. The Data Controller will agree with the management any responses before being such responses are released to customers or Data Subjects.
6. All incident closure reports will capture lessons learnt, and improvements to be put in place, subject to guidance from the operating unit and management as well as the designated Data Controller.
7. Notification of the parties impacted will be completed under the direction of the Data Controller.

5.  Privilege

Ensure that any legal advice (legal advice privilege) including documents and documents prepared for courts (litigation privilege) are not subject to disclosure related to a breach.

Appendix 1 – Data breach incident report –Internal

Data Breach Incident background Information

Data Breach Incident investigation and steps taken

Data Breach Incident solution

Other information