Data Incident Management Policy for Rhics Ltd

 

Introduction

Rhics Ltd is committed to safeguarding personal data and ensuring compliance with data protection laws. This policy outlines our procedure for managing data incidents, ensuring prompt and effective handling to mitigate any potential harm. It includes clear responsibilities, notification procedures, definitions, severity scales, reporting deadlines, and mechanisms for sharing lessons learned.

Policy Objective

To establish a systematic approach for managing data incidents that ensures quick identification, response, mitigation, and learning from data incidents to prevent future occurrences.

Definitions

Data Incident: Any event that results in unauthorized access, loss, disclosure, alteration, or destruction of personal data. This includes both accidental and unlawful breaches.

Responsibilities

  • Data Protection Officer (DPO): Oversees incident response strategies, compliance with data protection laws, and is the primary contact for data protection issues.
  • IT Security Team: Responsible for initial incident response, including containment and assessment.
  • HR Department: Assists in investigations involving internal personnel.
  • Legal Department: Provides legal advice, handles notifications to regulators and affected individuals, and assists in assessing the incident’s severity.

Notification Procedure

  • Who to Notify:
    • Internal Notification: The IT Security Team immediately notifies the DPO upon discovery of a data incident.
    • External Notification: Regulators (e.g., the ICO in the UK) and affected individuals will be notified based on the severity and legal requirements.
    • Stakeholder Notification: Senior management and other relevant stakeholders are informed as per the communication plan.

Scale of Severity

Data incidents are classified into three categories based on their impact and severity:

  • Low Severity: Incidents with minimal impact and no risk to individual rights and freedoms. Typical response involves recording the incident internally and taking corrective action without wider notification.
  • Medium Severity: Incidents that may pose a risk to individuals’ rights and freedoms but do not result in significant harm. Requires internal review and may require notification to the ICO within 72 hours.
  • High Severity: Incidents that could result in significant harm to individuals, such as financial loss, breach of confidentiality, or reputational damage. Immediate action is required, including notification to the ICO within 72 hours and to affected individuals without undue delay.

Reporting Deadlines

  • Regulatory Notification: For high-severity incidents, the ICO is notified within 72 hours of the organisation becoming aware of it, in accordance with GDPR requirements.
  • Individual Notification: Affected individuals are notified without undue delay if the breach is likely to result in a high risk to their rights and freedoms.

Sharing Lessons Learned

  • Review and Analysis: After managing a data incident, a debriefing is conducted to ascertain the root cause and to evaluate the response effectiveness.
  • Improvement Actions: Based on the analysis, necessary improvements to policies, training, or security measures are implemented.
  • Knowledge Sharing: Lessons learned are shared internally through workshops or training sessions, and, where appropriate, with external stakeholders to enhance industry practices.

Documentation and Record Keeping

All data incidents, regardless of their severity, are documented. Records include details of the incident, its effects, the remedial actions taken, and the decision-making process involved in the response. This documentation supports compliance with legal obligations and aids in continuous improvement.

Approval and Review

This policy has been approved by the board of directors and is subject to annual review to ensure its effectiveness and compliance with the latest legal and regulatory requirements.