Data Breach Policy
Last Updated: 28th May 2019
1. Introduction
Under GDPR, businesses have a requirement to keep personal data safe and secure and to respond promptly and appropriately to any personal data breaches. Travel Curious Ltd (“TCL”, “we/us/our”) takes such responsibilities seriously and it is important that we take appropriate steps in the event of any actual, potential or suspected breaches of data security or confidentiality to avoid any risk of damage or harm to data subjects.
2. Intended purpose
The purpose of this Policy is to establish a framework for reporting and managing data security breaches affecting any personal data held by us. It is every employee and contractor's obligation to report any breach they know or believe could have happened.
This Policy should be read in conjunction with our Data Protection Policy and IT Security Policy.
3. What constitutes a data breach?
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
Data breaches can happen for a number of reasons including the following:
the disclosure of confidential data to unauthorised individuals whether knowingly or accidentally;
loss or theft of any data or any such equipment on which data is stored, including paper;
unlawful or unauthorised access controls to information;
suspected breach of any of our policies;
attempts to gain unauthorised access to computer systems, for example hacking, viruses etc;
inappropriate handling of records including altering or deleting without our permission;
any other security attacks on our IT equipment systems or networks;
potential breaches of physical security e.g. forcing of doors or windows into secure room or filing cabinet containing confidential information;
unauthorised access to confidential information; and
emails sent in error.
4. Procedure for reporting breaches
4.1. Any actual, potential or suspected breach must be notified to us immediately.
4.2. We will then manage this and respond to this effectively in accordance with the requirements of GDPR and the obligations imposed on us.
4.3. Our Data Protection Officer will prepare appropriate reports and notify the Information Commissioners Office (“ICO”) if required to do so under GDPR and any data subject affected.
4.4. We will carry out an initial investigation, contain the breach, carry out any appropriate risk assessments and prepare an evaluation and response on our conclusions.
4.5. If disclosure is not required by GDPR, we will nevertheless investigate closely all the circumstances surrounding the breach and examine the seriousness of the breach and the benefits that might be obtained by disclosure (such as limiting risks of fraud) and we will give careful consideration to any decision to notify the ICO.
4.6. We do not have to notify any data subjects if any suspected or actual breach of data is anonymized or pseudonymized.
5. Data Protection
5.1. The collection, holding and processing of all personal data (as defined in the General Data Protection Regulation 2016(“GDPR”)) by us will be carried out in compliance with (i) the GDPR and (ii) Our Data Protection Policy.
5.2. All Users that have access to, and handle personal data on our behalf, shall adhere to our Data Protection Policy.
6. Who should a breach be reported to?
Personal data security breaches are managed by our CTO, also acting as TCL Data Protection Officer.
7. What data does this Policy apply to?
This Policy applies to all personal data collected and managed by us as defined by the GDPR. Please refer to our Data Protection Policy for details of what data we handle.
8. Implementation of this Policy
This Policy shall be deemed effective as from the date set out at the top of this Policy. No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.