Amity Web Solutions

Data Breach Policy

The Data Protection Officer (DPO): Laurence Cope

Introduction

Amity Web Solutions collects, stores, processes, and shares personal data of its customers and its customers' customers. Every care is taken to protect personal data from accidental or deliberate incidents to avoid a data protection breach. A data breach of personal data may result in harm to individual(s), reputational damage, detrimental effect on service provision, legislative non-compliance and/or financial costs.

The UK General Data Protection Regulation (UK GDPR) requires a personal data breach to be reported to the relevant supervisory authority (ICO) within 72 hours of the organisation becoming aware of it, where feasible, but only where it is likely to pose a risk to people's rights and freedoms. Failure to report a breach when required to do so could result in a significant fine.

Purpose and Scope

This procedure applies to all personal data held by Amity Web Solutions, in both electronic and manual form.

The aims of this procedure are:

  • To provide a framework for responding to data breaches
  • To ensure data breaches are appropriately identified and reported
  • To ensure data breaches are recorded and investigated
  • To ensure all staff are aware of reporting procedures

What is a Personal Data Breach?

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

Examples of data breaches include:

  • Loss or theft of data or equipment on which data is stored
  • Unauthorised access to or use of data by a third party or staff member
  • Loss of data due to unforeseen circumstances such as fire or flood
  • Human error (e.g. data sent to wrong recipient)
  • Hacking attacks
  • 'Blagging' offences where information is obtained by deception

Reporting a Breach

All staff must report actual or suspected data breaches to the Data Protection Officer immediately upon discovery. Reports should include:

  • Date and time of breach (or suspected breach)
  • Details of person reporting the breach
  • Description of the breach
  • Categories and approximate number of individuals concerned
  • Categories and approximate number of records concerned

Investigation and Risk Assessment

The DPO will investigate all reported breaches and assess the risk to individuals. This assessment will consider:

  • The type of breach
  • The nature, sensitivity and volume of personal data
  • Ease of identification of individuals
  • Severity of consequences for individuals
  • Special characteristics of the individual (e.g. vulnerable person)
  • Number of affected individuals

Notification

Where a breach is likely to result in a risk to the rights and freedoms of individuals, we will notify the ICO within 72 hours of becoming aware of the breach.

Where a breach is likely to result in a high risk to the rights and freedoms of individuals, we will also notify those individuals without undue delay.

Contact

To report a data breach or for any questions regarding this policy, please contact us.