Data Breach Policy

Data Breach Policy

Data Breach Policy

Last updated: August 9, 2024

1. Purpose

The purpose of this Data Breach Policy is to establish a framework for responding to data breaches that may compromise the confidentiality, integrity, or availability of personal data or sensitive company information. This policy aims to minimise the risk of data breaches, ensure prompt identification and management of breaches, and fulfil legal and regulatory obligations.

2. Scope

This policy applies to all employees, contractors, vendors, and third-party service providers who have access to the company's information systems or handle personal data or sensitive information.

3. Definitions

- Data Breach: A security incident that results in unauthorised access, disclosure, alteration, or destruction of personal data or sensitive company information.

- Personal Data: Any information related to an identified or identifiable natural person, such as names, contact details, identification numbers, or any other data that can be linked to an individual.

- Sensitive Information: Confidential company information, including but not limited to intellectual property, financial data, and trade secrets.

4. Preventive Measures

To reduce the likelihood of a data breach, the following measures shall be implemented:

- Access Control: Implement strong authentication and access controls to limit access to sensitive information.

- Encryption: Encrypt sensitive data both at rest and in transit to protect it from unauthorised access.

- Regular Audits: Conduct regular security audits and vulnerability assessments to identify and address potential security risks.

- Employee Training: Provide regular training to employees on data protection best practices and how to recognise potential security threats.

5. Identification and Reporting

- Detection: All employees must be vigilant and report any suspicious activity or potential data breaches to the IT department immediately.

- Reporting: Any data breach or suspected breach must be reported to the Data Protection Officer (DPO) or designated security team within 24 hours of discovery.

- Documentation: The incident must be documented with details including the nature of the breach, affected data, and the potential impact.

6. Response and Containment

- Immediate Actions: Upon identification of a breach, the IT department must take immediate steps to contain the breach, such as isolating affected systems, revoking access rights, and applying necessary security patches.

- Assessment: The DPO or security team will assess the scope and impact of the breach, identifying the type of data involved and the number of affected individuals.

- Notification: If personal data is involved, the company must notify the affected individuals and, if required, relevant regulatory bodies within 72 hours of becoming aware of the breach.

- Mitigation: Implement measures to prevent further data loss, such as recovering compromised data, resetting passwords, and enhancing security controls.

7. Investigation and Documentation

- Root Cause Analysis: Conduct a thorough investigation to determine the root cause of the breach and the effectiveness of the response measures.

- Documentation: All actions taken in response to the breach must be documented, including communication with affected parties and regulatory bodies.

- Reporting: A detailed incident report must be prepared and presented to senior management, outlining the breach, response actions, and recommended improvements.

8. Post-Incident Review and Improvement

- Review: After the breach has been contained, the incident will be reviewed to evaluate the effectiveness of the response and identify lessons learned.

- Policy Updates: Based on the review, this Data Breach Policy and associated procedures may be updated to address any identified gaps or weaknesses.

- Training: Additional training may be provided to employees based on the lessons learned to prevent future breaches.

9. Compliance and Legal Obligations

- Regulatory Compliance: The company must comply with all applicable data protection laws and regulations, including but not limited to the General Data Protection Regulation (GDPR) and local privacy laws.

- Legal Obligations: If the breach involves sensitive information that may lead to legal consequences, the company’s legal team must be consulted immediately to ensure appropriate legal actions are taken.

10. Review and Updates

This Data Breach Policy will be reviewed annually or following any significant data breach incident. Any updates will be communicated to all relevant stakeholders, and appropriate training will be provided.

11. Responsibilities

- Data Protection Officer (DPO): Responsible for overseeing the implementation of this policy, reporting breaches, and ensuring compliance with data protection regulations.

- IT Department: Responsible for implementing preventive measures, detecting breaches, and executing the technical aspects of the breach response.

- Employees: Responsible for following security protocols, reporting suspected breaches, and participating in regular training.

12. Consequences of Non-Compliance

Failure to comply with this policy may result in disciplinary action, including termination of employment or contracts, and may also lead to legal action if negligence is determined to have contributed to the breach.

---

Approval Date: 09/08/2024

Effective Date: 09/08/2024

Next Review Date: 09/08/2025

---

Stuart

Car Leasing Provider

I recently had a fantastic experience with this company that truly prioritises its customers and is committed to recycling. Initially, I was hesitant after receiving several quotes that were all in the triple digits from other companies. However, this company offered a quote that was significantly lower—hundreds below the others—so we decided to move forward. They collected our waste on a Friday of this week, and I was impressed to receive a notification the day before with details about the vehicle, driver, and estimated arrival time. The collection itself was handled with care; their staff meticulously managed everything as it was taken from our 5th floor office building. Additionally, they provided all the necessary documentation and certificates at no extra charge. Overall, their professionalism and dedication to service made the experience excellent!

Sara

Installation Provider

Finding a reliable waste collection provider without breaking the bank was a challenge for us. We often deal with a mix of old WEEE from various jobs, and Quality Waste came through with a no-obligation quote—no aggressive sales tactics like we experienced with other companies that kept hounding us to book. We started with a small trial collection on our preferred date, and I was impressed by their professionalism throughout the process. They provided clear notifications the day before, including all the details about the collection timeframe. After everything was collected, they promptly emailed us all the necessary paperwork and certificates. I highly recommend Quality Waste for anyone in need of dependable waste collection services!

Jena

Charitable organization

As a charity with limited funds for disposing of old equipment, we faced challenges finding an affordable solution. After reaching out to several companies, all of whom quoted high fees for collecting our old PCs and laptops, we contacted Quality Waste. They offered a no-charge collection service, which was a welcome surprise. Not only did they collect our items the very next day, but they also donated funds back to us, which was incredibly generous and beneficial for our organisation. This experience couldn’t have been better for us, and I highly recommend Quality Waste for their outstanding service and support!

Matt

Office Admin

For several years, we struggled to find a company that could collect a large amount of old electrical waste from our basement, with every provider quoting us several thousand. Then we found Quality Waste. They sent a staff member to assess the job at no cost, which was a pleasant surprise. To our astonishment, they came back with a very competitive price. They even collected everything on a weekend and went the extra mile by cleaning up after they finished. I couldn’t be happier with their service and highly recommend them to anyone in need of waste collection!

Mohammed

Private Service Provider

We recently upgraded our computers, laptops, and other office equipment and had faced challenges with previous companies that would only collect the laptops and PCs, leaving everything else behind. When we reached out to Quality Waste, we sent them a photo of what we needed collected, and they offered to take everything at no cost, including free paperwork and a hard drive erase certificate. We accepted their offer, and to our surprise, the day after the collection, they informed us that they could provide a rebate for the items. We choose to donate that rebate to a charity we sponsor instead. Overall, we were extremely impressed with their service and highly recommend Quality Waste for their professionalism and generosity!