Incident Response Procedure
1. PURPOSE
The purpose of this Procedure is to provide guidelines on personal data breach notification and management. This Procedure is an appendix to the Information Security Policy and the Personal Data Protection Policy that describe the user's rights in accordance with the General Data Protection Regulation (GDPR).
The Procedure applies to:
- all personal data generated or collected by Uniline in any form
- all personal data processed by Uniline
- all other information systems in which data is stored or processed
2. DEFINITIONS
Personal data breach (incident) means a breach of security which leads to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
3. NOTIFICATION OF A PERSONAL DATA BREACH
In the case of a personal data breach, it is vitally important to notify the event as soon as possible after having become aware of it in order to reduce potential effects. All people that have access to Uniline's information systems are responsible for reporting suspicious activities (incidents) which may lead to a breach of confidentiality, integrity and/or availability of personal data. Notification can be made by sending an email to dpo@uniline.hr.
3.1. Initial verification
Upon receipt of the above email, the data protection and incident management officer will investigate the cause of the incident or engage another person to conduct the investigation. All records and evidence of the incident will be sent directly to the data protection officer who will store them. The investigation encompasses the verification of the incident's severity and its impact on the rights and freedoms of Uniline's customers and employees.
4. CONTAINMENT AND RECOVERY
Once it is established that a personal data security breach has occurred, Uniline will as soon as possible take action to limit the incident. Depending on the severity of the incident, the responsible person will, where appropriate, involve and inform other people in order to:
- establish whether there is a possibility to recover the losses and limit the damage which may be caused by the incident
- establish if it is appropriate to notify the personal data breach to the persons affected by the incident
- establish if it is appropriate to notify the personal data breach to the competent supervisory authority
4.1. Risk assessment
It is required to establish which further actions should be taken based on the received incident notification in order to mitigate the effects of the personal data breach and to prevent it from happening again. Uniline documents all personal data breaches, comprising their effects and the remedial action taken.
5. NOTIFICATION
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, Uniline will communicate the personal data breach to the customer without undue delay.
The communication should describe the nature of the personal data breach as well as recommendations for the customer concerned to mitigate potential adverse effects. Such communications will be made as soon as reasonably feasible from the moment the controller becomes aware that a personal data breach has occurred. When drawing up such communications to customers, Unline will respect guidance provided by the supervisory authority or by other relevant authorities.
In the case of a personal data breach, Uniline will without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where such notification is not made within 72 hours, it will be accompanied by reasons for the delay.
The notification to the supervisory authority will at least (but not limited to):
- describe the nature of the personal data breach including where possible, the categories and approximate number of users concerned and the categories and approximate number of personal data records concerned;
- communicate the name and contact details of the data protection officer from whom more information can be obtained;
- describe the likely consequences of the personal data breach;
- describe the measures taken or proposed to be taken by Uniline to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
6. PERSONAL DATA BREACH REGISTER
Uniline will collate all information from the above article, regardless if the breach is notified to the supervisory authority or not, in its own personal data breach register to be stored in Unline's file system.