Data breach protocol
This document describes the different steps that are taken within Tezcan IT Solutions BV in case of a data breach, which falls under the Data breach notification obligation.
|Management||Acceptance and registration of data breach notifications|
|Management||Reporting data breaches to the Authority Personal data|
|Management||Assessing and recording consequences and measures to be taken|
|Management||Approval of measures|
|Management||Reporting data leaks of personal data|
1.1 Description of the procedure
The obligation to report data leaks is an amendment to the WBP and will take effect from 1 January 2016. A data breach constitutes a breach of the security of personal data. The personal data is then exposed to loss or unlawful processing.
Data breaches can occur as a result of:
- deliberate action (cyber crime, hacking, identity fraud, mailware contamination);
- technical failure (ICT malfunctions);
- human error (password/issuing username/password to colleagues and external parties);
- calamity (fire data centre, flooding);
- lost USB stick or laptop;
- Sending email with email addresses of all addressees;
- unlawful processing of data.
2. Reporting personal data to the Authority
2.1. Personal data authority
When a data breach leads to a risk for the rights and freedoms of data subjects, this must be reported to the Authority Personal Data without delay (within 2 days) after the responsible person within Tezcan IT Solutions BV has become aware of it. Tezcan IT Solutions BV uses for this the by the Authority Personal Data Reporting Guidelines. When it is probable that a data leak also results in a high risk for the rights and freedoms of those involved, the leak must also be reported to those involved, with the help of the client. In the case of Tezcan IT Solutions BV these are generally the users of the systems of the client of the specific project. Persons involved are those whose personal data are involved in a breach. The data subject must be notified of the breach without delay, if the breach is likely to adversely affect his privacy. A processor is obliged to report a data breach to the data controller.
- Responsible party: management Tezcan IT Solutions BV. The responsible party has control over the purpose and method of processing. Formally, legally and factually (functionally) the one who determines the purpose and means of processing personal data. The person who has control and is responsible for the purpose and means of processing and decides on storage periods, provision of inspection requests, etc. The responsible party has the governing role (directing the management of privacy in the chain);
- Processor: the person who processes the data on behalf of the responsible party without being subject to his or her direct authority (also externally). The processor processes personal data in accordance with the instructions and ultimate responsibility of the responsible party. The processor does not make decisions about the use of the data, the provision to third parties and other recipients, the duration of storage of the data, etc.
2.2. Internal reporting step-by-step plan
2.2.1. Step 1: Reporting data breach
All data leaks of personal data must be reported internally to management and are documented by management. The report can be made by any employee and any processor. The report can also be made by an external person to an employee of Tezcan IT Solutions BV. The report must be made directly to the management and documented in writing. Outside office hours the management can be reached.
The management records:
- Name of the reporter;
- date and time of the report;
- nature of the breach (is there a significant risk of loss or unlawful processing?);
- which personal details are covered by the report;
- what number and/or data records are involved;
- which (groups of) persons are involved in the report;
- what measures have been or will be taken by the notifier;
- what consequences does the reporter believe there will be for the data subjects;
- the contact person for the report.
2.2.2. Step 2: Inventory of consequences and measures to be taken
After receipt of a notification of a data breach, the management of Tezcan IT Solutions BV assesses and records the data breach:
- the necessary follow-up actions with regard to the data breach (immediately close the leak, limit access to information and at the same time gather more information about the intruder;
- what will be reported to the Authority for Personal Data by the management (in addition to the nature of the breach, which personal data, number of persons/records involved):
- the possible consequences for the persons involved;
- the measures that Tezcan IT Solutions BV takes and/or can take to reduce the damage for those involved;
- the measures the persons involved can take to reduce further damage, including the way of informing about this;
- contact details for those involved;
- the method of internal handling, including communication to the notifier, department(s) concerned and team leader(s);
- whether there is personal liability, or liability of third parties, such as on the grounds of breach of contract (because a confidentiality obligation has been breached, or insufficient security has been achieved in breach of a contractual obligation) or in tort;
- whether or not to make a report and determine whether or not there is criminal culpability. This may be the case, for example, when there is involvement from Tezcan IT Solutions BV or when insufficient measures have been taken to prevent irregularities. If desired, consultation will take place with the legal advisor;
- what is communicated internally, at what time;
- what is communicated externally, at which moment. It will be determined whether the press need to be informed;
- whether, in addition to the Personal Data Authority, other stakeholders will also be informed;
- how reports are made internally, including the action holder;
- whether any damage is covered by the insurance policy.
2.2.3. Step 3: Accord
The management approves the activities to be carried out, as determined, or adjusts the activities to be carried out. The activities determined by the management shall be carried out.
2.2.4. Step 4: Reporting to the Authority Personal Data
The Management Board shall notify the Personal Data breach to the Authority within 2 days. In any case it will have to be reported:
- nature of the breach, including categories involved, number of data subjects, number of data records;
- description of the expected consequences;
- measures taken and/or proposed;
- information on actions to be taken by the data subject with a view to mitigating the adverse effects;
- contact details of the data subject;
2.2.5. Step 5: Acknowledgement of receipt by the Authority Personal data
If a notification is made, Tezcan IT Solutions BV will receive a confirmation of receipt. In case of reports that give rise to further action by the Authority Personal Data, the Authority Personal Data will contact Tezcan IT Solutions BV to verify the origin of the report.