This Policy and Plan aims to help Water2buy manage personal data breaches effectively. Water2buy holds Personal Data about our users, employees, clients, suppliers and other individuals for a variety of business purposes.
Water2buy is committed not only to the letter of the law but also to the spirit of the law and places a high premium on the correct, lawful and fair handling of all Personal Data, respecting the legal rights, privacy and trust of all individuals with whom it deals.
A data breach generally refers to the unauthorized access and retrieval of information that may include corporate and / or personal data. Data breaches are generally recognized as one of the more costly security failures of organizations. They could lead to financial losses, and cause consumers to lose trust in Water2buy or our clients.
The regulations across the various jurisdictions in which Water2buy operates require Water2buy to make reasonable security arrangements to protect the personal data that we possess or control, to prevent unauthorized access, collection, use, disclosure, or similar risks.
This policy applies to all staff. You must be familiar with this policy and comply with its terms. This policy supplements our other policies relating to internet and email use. We may supplement or amend this policy by additional policies and guidelines from time to time. Any new or modified policy will be circulated to staff before being adopted.
All staff will receive training on this policy. New staff will receive training as part of the induction process. Further training will be provided at least every year or whenever there is a substantial change in the law or our policy and procedure.
Training is provided through an in-house seminar and online training on an annual basis, and covers the applicable laws relating to data protection, and Water2buy’ data protection and related policies and procedures.
Completion of training is compulsory.
EU GENERAL DATA PROTECTION REGULATION (EU) 2016/679 (GDPR)
Regulation also applies to organizations based outside the European Union if they collect or process personal data of EU residents.
According to the European Commission, Personal Data is: “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
Water2buy defines Personal Data as the broader of the definitions contained in the GDPR.
Water2buy defines Sensitive Personal Data as the broader of the definitions contained in the GDPR.
Any use of sensitive Personal Data is to be strictly controlled in accordance with this policy.
While some data will always relate to an individual, other data may not, on its own, relate to an individual. Such data would not constitute Personal Data unless it is associated with, or made to relate to, a particular individual.
Generic information that does not relate to a particular individual may also form part of an individual’s Personal Data when combined with Personal Data or other information to enable an individual to be identified.
Aggregated data is not Personal Data.
Water2buy gathers Personal Data for two purposes, to identify and protect the data given to us by our customers, and for internal operations.
Personal Data for health coaching relates to identifiable individual users and may include:
Personal Data we gather for internal operational purposes relates to identifiable individuals such as job applicants, current and former employees, contract and other staff, clients, suppliers, and marketing contacts, and the data gathered may include individuals’ contact details, educational background, financial and pay details, details of certificates and diplomas, education and skills, marital status, nationality, job title, and CV.
Data breaches may be caused by employees, parties external to the organization, or computer system errors.
Human Error causes include:
Malicious causes include:
Computer System Error
Computer System Error causes include:
All members of staff have an obligation to report actual or potential data protection compliance failures. This allows us to:
Under the GDPR, the DPO is legally obliged to notify the Supervisory Authority within 72 hours of the data breach (Article 33). Individuals have to be notified if adverse impact is determined (Article 34). In addition, Water2buy must notify any affected clients without undue delay after becoming aware of a personal data breach (Article 33).
However, Water2buy does not have to notify the data subjects if anonymized data is breached. Specifically, the notice to data subjects is not required if the data controller has implemented pseudo-anonymisation techniques like encryption along with adequate technical and organizational protection measures to the personal data affected by the data breach (Article 34).
The Data Breach Team should immediately be alerted of any confirmed or suspected data breach.
The notification should include the following information, where available:
Where specific information of the data breach is not yet available, Water2buy should send an interim notification comprising a brief description of the incident.
Notifications made by organizations or the lack of notification, as well as whether organizations have adequate recovery procedures in place, will affect supervising authorities’ decision(s) on whether an organization has reasonably protected the personal data under its control or possession.
Responding to a Data Breach
DATA BREACH MANAGEMENT PLAN
Upon being notified of a (suspected or confirmed) data breach, the Data Breach Team should immediately activate the data breach & response plan.
Water2buy’ data breach management and response plan is:
CONFIRM THE BREACH
The Data Breach Team (DBT) should act as soon as it is aware of a data breach. Where possible, it should first confirm that the data breach has occurred. It may make sense for the DBT to proceed Contain the Breach on the basis of an unconfirmed reported data breach, depending on the likelihood of the severity of risk.
CONTAIN THE BREACH
The DBT should consider the following measures to Contain the Breach, where applicable:
ASSESS RISKS AND IMPACT
Knowing the risks and impact of data breaches will help Water2buy determine whether there could be serious consequences to affected individuals, as well as the steps necessary to notify the individuals affected.
Risk and Impact on Individuals
Risk and Impact on organizations
REPORT THE INCIDENT
Water2buy is legally required to notify affected individuals if their personal data has been breached. This will encourage individuals to take preventive measures to reduce the impact of the data breach, and also help Water2buy rebuild consumer trust.
Who to Notify:
When to Notify:
How to Notify:
What to Notify:
EVALUATE THE RESPONSE & RECOVERY TO PREVENT FUTURE BREACHES
After steps have been taken to resolve the data breach, Water2buy should review the cause of the breach and evaluate if existing protection and prevention measures and processes are sufficient to prevent similar breaches from occurring, and where applicable put a stop to practices which led to the data breach.
Operational and Policy Related Issues:
Resource Related Issues:
Employee Related Issues:
Management Related Issues:
Everyone must observe this policy.
Consequences of failing to comply
We take compliance with this policy very seriously. Failure to comply puts both you and the organization at risk.
The importance of this policy means that failure to comply with any requirement may lead to disciplinary action under our procedures which may result in dismissal.