DATA BREACH POLICY


SweetLegs Clothing Inc., “SweetLegs”, collects, holds, processes, and shares personal data, a valuable asset that needs to be suitably protected.  Every care is taken to protect personal data from incidents (either accidentally or deliberately) to avoid a data protection breach that could compromise security.  


SweetLegs is obliged under GDPR to have in place a framework designed to ensure the security of all personal data during its lifecycle. This policy sets out the procedure to be followed to ensure a consistent and effective approach is in place for managing data breach and information security incidents.


This policy applies to all staff and contractors at SweetLegs. This includes temporary, casual or agency staff and contractors, consultants, suppliers and data processors working for, or on behalf of SweetLegs.


The objective of this policy is to contain any breaches, to minimize the risk associated with the breach, and consider what action is necessary to secure personal data and prevent further breaches.


An incident in the context of this policy is an event or action which may compromise the

confidentiality, integrity, or availability of systems or data, either accidentally or deliberately, and has caused or has the potential to cause damage to SweetLegs information assets and/or reputation.


An incident includes but is not restricted to, the following:


    • Loss or theft of confidential or sensitive data or equipment on which such data is stored (e.g. loss of a laptop, USB stick, iPad / tablet device, or paper record)
    • Equipment theft or failure
    • System failure
    •  use of, access to or modification of data or information systems;
    • Attempts (failed or successful) to gain unauthorized access to information or IT system(s);
    • The unauthorized disclosure of sensitive/confidential data;
    • Website defacement;
    • Hacking attack;
    • Unforeseen circumstances such as a fire or flood;
    • Human error;
    • Phishing offenses where information is obtained by deceiving the organization who holds it.


BREACH MANAGEMENT PROTOCOL


Any individual who accesses, uses, or manages SweetLegs’ information is responsible for reporting data breach and information security incidents immediately to IT personnel, the owners of SweetLegs, and the General Manager.  If the breach occurs or is discovered outside normal working hours, it must be reported as soon as possible.


The report must include full and accurate details of the incident, when the breach occurred (dates and times), who is reporting it, if the data relates to people, the nature of the information, and how many individuals are involved.


IT staff will first determine if the breach is still occurring. If so, the appropriate steps will be taken immediately to minimize the effect of the breach.


An initial assessment will be made by SweetLegs with relevant staff and vendors to establish the severity of the breach and who will take the lead investigating the breach.


An investigation will be undertaken immediately by SweetLegs and wherever possible, within 24 hours of the breach being discovered/reported.


The investigation will need to take into account the following:

  • The type of data involved;
  • Its sensitivity;
  • The protections are in place (e.g. encryptions);
  • What has happened to the data (e.g. has it been lost or stolen);
  • Whether the data could be put to any illegal or inappropriate use;
  • Data subject(s) affected by the breach, the number of individuals involved and the potential effects on those data subject(s);
  • Whether there are wider consequences to the breach.

SweetLegs, in consultation with relevant staff and vendors, will establish whether any supervisory authorities will need to be notified of the breach and if so, notify them within 72 hours of becoming aware of the breach, where feasible.


Individuals whose personal data has been affected by the incident, and where it has been considered likely to result in a high risk of adversely affecting that individual’s rights and freedoms, will be informed without undue delay. Notification will include a description of how and when the breach occurred and the data involved. Specific and clear advice will be given on what they can do to protect themselves, and include what action has already been taken to mitigate the risks. Individuals will also be provided with a way in which they can contact SweetLegs for further information or to ask questions on what has occurred.


Once the initial incident is contained, SweetLegs will carry out a full review of the causes of the breach, the effectiveness of the response(s) and whether any changes to systems, policies, and procedures should be undertaken.


Existing controls will be reviewed to determine their adequacy, and whether any corrective action should be taken to minimize the risk of similar incidents occurring.


This policy will be updated as necessary to reflect best practice and to ensure compliance with any changes or amendments to relevant legislation.


This policy was last reviewed in January 2019.

Cart