A clear and bold heading
This hotel booking engine is owned and run by Roomex Limited.
GDPR: Data Breach Protocol
- What to do in case of a breach
1.1. Roomex Limited (“Roomex”) has put in place a security breach management team (SBM Team) consisting of senior members of the technology and executive teams. Please contact the Data Protection Officer (firstname.lastname@example.org) in case the primary members of the SBM Team are not available when a breach occurs.
1.2. There is a limited time available to investigate a breach before we must notify the Data Protection Commissioner. Staff members should contact the Data Protection Officer immediately if they become aware of a security breach. Typical breaches include situations where an individual’s data is sent to another individual.
1.3. The SBM Team has been trained to understand their role in managing the security breach. Dealing with a breach quickly can limit the damage that it causes.
- Investigate the facts
- The nature and cause of the breach including whether the breach is:
- a combination of the above.
- “availability breach” where there is an unauthorised or accidental loss of access to or destruction of personal data or
- “integrity breach” where there is an unauthorised or accidental alteration to personal data;
- “confidentiality breach” i.e. where there is an unauthorised or accidental disclosure of or access to personal data;
- The extent of the damage or harm that results, or could result, from the breach.
- Ascertain whether appropriate technical and organisational measures have been implemented.
2.2. A Data Breach Report (to the Supervisory Authority) should be filled out by the SBM team for all breaches.
- Stop or mitigate the breach
The SBM Team will:3.2. Take action to stop the breach from continuing or recurring and mitigate the harm that may continue to result from the breach. It will consider the following:
- What steps can be taken to stop or minimise further loss?
- What steps can be taken to recover, correct or delete data?
- Does evidence need to be preserved for a potential criminal investigation?
3.3. If the Data Protection Commission (“DPC”) is notified or becomes involved in a data security breach, she will want to know what has been done to stop or mitigate the breach and what Roomex will do to ensure future compliance with the security principles in both the General Data Protection Regulation (the “GDPR”) and the Data Protection Act 2018. The DPC has powers to obtain information and take enforcement action if necessary.
4.1. If no cyber insurance is in place the SBM team will check insurance and professional indemnity insurance policies or any other relevant policy and consider whether notification is required under the policy.
- Create a detailed assessment of the breach
5.1. Record-keeping and assessment is the next important step.
5.2. The SBM team may ask you to fill out a detailed data breach record form.
5.3. These forms will be retained as part of our accountability mechanism.
- Consider who needs to be notified
6.1.1. Data subjects: Data subjects may need to be notified that their data has been compromised and given details of the breach, what steps Roomex has taken to mitigate the breach and any potential repercussions of the breach for the data subject.
6.1.2. The DPC: The GDPR and Data Protection Act require notification to the DPC in the event of a data security breach unless certain exemptions apply. In general, a data breach will require notification to the DPC if the data includes:
- the possibility of harm to the data subjects
- a large volume of personal data
- sensitive data (e.g. health information)
- loss of data which could lead to identity theft (financial data)
6.1.1. Other Data controllers: If there are other data controllers of the personal data in question, we may want to notify them (although this is not a legal obligation under the GDPR). We may need to notify other data controllers under the terms of the contract with that data controller or under the requirements of the GDPR.
6.1.2. The Gardaí or other agencies: if the data breach involved a potentially criminal act, then the Gardaí or other law enforcement agency may need to be notified.
6.1.3. Regulators: some professional regulators may need to be informed of data breaches within their remit.
6.2. The SBM team will decide whether legal, technical or PR advice should be taken as soon as possible. This should ideally occur in advance of making any notification.
- Check the contract
7.2. Where the data security breach has been caused by a third party, the SBM team should consider Roomex’s contract with third parties, and in particular:
- Are the data protection and data security obligations in the contract appropriate for the purposes of compliance with the security principle in the GDPR?
- Does Roomex have a claim or any liability for breach of a specific data protection or security obligation in the GDPR?
- In the absence of any specific data security provisions consider whether there may be a claim or any liability for breach of confidence or a failure to take reasonable skill and care.
- Does the breach give rise to a right to claim damages? If so, is the value of the claim limited by the contractual limit of liability? Many contracts carve out claims for loss of data and damage to reputation from the limitation and exclusions of liability provisions.
- How will the claim for damages be quantified? Do liquidated damages or service credits apply? Are the costs incurred as a result of the breach recoverable? Is Roomex able to pass on any liability it may have following the sanctions taken by DPC to the data processor?
- Does the breach give rise to a right to terminate the contract?
- Does the data security breach trigger any other aspects of the contract, such as audit rights or the implementation of business continuity and disaster recovery plans?
- Are there are any specific contractual administration matters that need to be observed to preserve rights, such as compliance with notice provisions or prescribed alternative dispute resolution procedures?
- Does disciplinary action need to be taken?
- Roomex’s disciplinary policies and other relevant policies, such as data protection policies, Employee Handbooks, IT and internet use policy and security policies to determine the extent to which the employee has breached their express contractual provisions.
- Whether the employee had received adequate training and guidance on data protection and security responsibilities and ought reasonably to have been aware of Roomex’s expectations and the consequences of breaching them.
- Whether there has been any breach of statute that could justify immediate suspension or summary dismissal. Where disciplinary action is appropriate, this must be conducted in accordance with the statutory dismissal and disciplinary procedures and Roomex’s own disciplinary procedure.
- Audit of security appropriateness and the need to make necessary improvements
9.2. Where one or more data processor may have caused the breach, consider whether adequate contractual obligations were in place to comply with the security principle and if so, whether the data processor(s) is in breach of contract.
9.3. Where security is found not to be appropriate for the purpose of the security principle, consider what action needs to be taken to raise data protection and security compliance standards to those required by the security principle.
9.4. If the DPC is notified or becomes involved in a data security breach, she is likely to request information around any subsequent testing of systems or review of any security procedures which failed to meet the standards of technical and organisational security.
9.5. This may include engaging independent external experts to carry out penetration testing or security audits on Roomex’s systems.
9.6. This may include reviewing and updating employee, policies or other contractual provisions.
9.7. The above process should be kept on the Data Protection folder.