OFFER Your QUOTEBecome a Driver

Data Breach Procedure

Introduction

At Zuboid Courier we take our responsibilities under the UK’s Data Protection Act (“DPA”) and the General Data Protection Regulation (“GDPR”) very seriously. Whilst the DPA and the GDPR require to have prevention and detection mechanisms in place, knowing how to handle a Data Breach and how to respond mitigates the negative effects on the individuals whose data has been compromised.

Purpose

This procedure sets out how a Personal Data Breach must be handled and provides an easy-to-follow step-by-step approach that ensures that Zuboid Courier can quickly and in an efficient manner resolve the issue.

What is a Personal Data Breach?

The DPA and the GDPR suggest “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed;”

What are the most common forms?

It is possible to highlight the following incidents as the most common forms:

  • Loss or theft of data in print or electronic format stored on devices such as tablets, smartphones, laptops irrespectively of belonging to Zuboid Courier or person.
  • Accidentally or mistakenly to the wrong person emailed, posted data.
  • Loss, theft, crucial failure, or destruction of hardware or equipment on which data is stored.
  • Unauthorised access to data and inappropriate sharing or dissemination with or without malicious or criminal intent.
  • Obtaining information by deception, persuasion, or fraud.
  • Natural disasters.
  • Unsuitable or non-secure disposal or destruction of hardware or printed data.
  • Hacking.
  • Human Error

When do I need to report an incident?

Whilst most types of incidents can be identified through the above examples, Any situation where a member of staff is uncertain about if there is or was an incident must be reported.

Who do I report to?

Zuboid Courier`s Data Protection Manager (“DPM”) can be reached at info@zuboidcourier.com.

Procedure

  • Upon noticing or becoming aware of a suspected, alleged, or actual personal data breach the DPM must be notified.
  • Once a suspected, alleged, or actual personal data breach has been reported, the DPM must acknowledge receipt of the notification and communicate a reference number to the Person reporting the issue.
  • Once the reference number has been issued and receipt of the notification is sent, the DPM must determine the nature of the incident.
  • Human error
  • System error
  • System failure
    1. Identify the type of data involved
    2. Identify the sensitivity of the data involved
    3. Identify the volume of data involved
    4. Identify the identity of the data subjects
    5. Identify the form and the result of the breach
    6. Identify whether the risk is ongoing
    7. Take action to retrieve data
  • Report findings
    1. Internally.
    2. Record the breach into the Data Breach Register.
  • Data Processor
    1. If Zuboid Courier acts as a Data Processor notify the Data Controller.
  • Data Controller
    1. If Zuboid Courier is the Data Controller it must be established whether the personal data breach should be reported to the Supervisory Authority. The criterion is: Is there a risk to the rights and freedoms of the data subject?
      • Perform a Data Protection Impact Assessment on the processing activity affected by the data breach.
      • If the DPIA returns a high risk to the rights and freedoms of the affected data subjects the Supervisory Authority and the Data Subject must be notified.
        1. to notify the Supervisory Authority.
        2. to notify the Data Subject
          Advise: The Supervisory Authority and the Data Subject must be notified without undue delay. However, it is good practice to do so within 72 hours.
        3. Coordinate with Supervisory Authority as needed
        Investigate
        1. Identify and assess the safeguards that are in place.
        2. Identify if a breach of policy took place.
        3. Identify possible consequences.
        4. Identify all gaps that have contributed or caused the breach.
        5. Perform a gap analysis and identify the root cause.
        6. Assess the ongoing risk.
        7. Identify risk mitigation measures.
        8. Identify preventive actions.
        9. Identify training needs.
        Conclude
        1. Notify all relevant Internal channels.
        2. Update the Supervisory Authority.

Review

Zuboid Courier will continue to review the effectiveness of this procedure to ensure it is achieving its stated objectives on at least an annual basis and more frequently if required, taking into account changes in the law and organisational or security changes.

Zuboid Courier

We are an online aggregator. Our users handle all interactions independently; they create and manage their requests in our app without our involvement.

Useful Links

Copyright © 2024 Bondor by Zuboid All rights reserved.