dbs-logo.png

DBS Data Breach Policy

Date: May  2018

Summary

This document describes the processes to be followed by DBS Interactive in the event that DBS experiences a data breach, or suspects that a data breach may have occurred. A data breach involves the loss of, unauthorized access to, or unauthorized disclosure of, personal information.


Introduction

DBS is committed to managing all data, including personal information, in accordance with all relevant laws and regulations, including Europe’s General Data Protection Regulation.

This document describes the processes to be followed by DBS in the event that DBS experiences a data breach or suspects that a data breach may have occurred. A data breach involves the loss of, unauthorized access to, or unauthorized disclosure of, personal information.

DBS is prepared to act quickly in the event of such an incident.

Adherence to this Data Breach Policy will ensure that DBS can contain, assess and respond to data breaches expeditiously, and to mitigate potential harm to the person(s) and entities affected.

Process when a breach is suspected or known

Alert

Where a privacy data breach is known to have occurred, or is suspected, any member of DBS staff who becomes aware of this must, within 2 hours, alert the DBS executive team.

The Information that should be provided (if known) at this point includes:

  1. When the suspected breach occurred (time and date, if known)
  2. Description of the breach (type of personal information involved)
  3. Cause of the breach (if known); otherwise how it was discovered
  4. Which system(s) if any are affected?
  5. The extent of the suspected breach
  6. Whether corrective action has occurred to remedy or mitigate the suspected breach, yet.

Assess and determine the potential impact

Once notified of the information above, the DBS executive team must consider whether a privacy data breach has (or is likely to have) occurred and make a preliminary judgement as to its severity.

Criteria for determining whether a privacy data breach has occurred

  1. Is personal information involved?
  2. Is the personal information of a sensitive or identifying nature?
  3. Has there been unauthorized access to personal information, or unauthorized disclosure of personal information, or loss of personal information in circumstances where access to the information is likely to occur?

Criteria for determining severity of breach

  1. The type and extent of personal information involved
  2. Whether multiple individuals have been affected
  3. Whether the information is protected by any security measures (password protection or encryption)
  4. The person or kinds of people who now have access
  5. Whether there is (or could there be) a real risk of serious harm to the affected individuals

“Serious harm” could include physical, physiological, emotional, economic/financial or harm to reputation.

The DBS Data Protection Officer to issue report and instructions

At this point the Data Protection Officer will issue a report to include all pertinent details, including any instructions that could be useful by those affected. The report and instructions will then be forwarded to any and all impacted clients. Clients will then be instructed to inform their users. If insufficient information is available at this time, follow up reports will be issued.

In situations where it not be practical to contact all impacted parties, DBS will take reasonable steps to publicize the statement (including publishing on the website).

“Clients” are defined here as anyone to whom DBS is providing a hosted service. For self-hosted applications, DBS will be responsible for notifying those users.

Post Mortem

Once the incident has been dealt with, DBS will turn its attention to the following:

Contact details

Contact for all matters related to privacy, including complaints about breaches of privacy, should be directed as follows:

DBS Data Protection Officer

E: privacy@dbsinteractive.com