Date: May 2018
This document describes the processes to be followed by DBS Interactive in the event that DBS experiences a data breach, or suspects that a data breach may have occurred. A data breach involves the loss of, unauthorized access to, or unauthorized disclosure of, personal information.
DBS is committed to managing all data, including personal information, in accordance with all relevant laws and regulations, including Europe’s General Data Protection Regulation.
This document describes the processes to be followed by DBS in the event that DBS experiences a data breach or suspects that a data breach may have occurred. A data breach involves the loss of, unauthorized access to, or unauthorized disclosure of, personal information.
DBS is prepared to act quickly in the event of such an incident.
Adherence to this Data Breach Policy will ensure that DBS can contain, assess and respond to data breaches expeditiously, and to mitigate potential harm to the person(s) and entities affected.
Where a privacy data breach is known to have occurred, or is suspected, any member of DBS staff who becomes aware of this must, within 2 hours, alert the DBS executive team.
The Information that should be provided (if known) at this point includes:
Once notified of the information above, the DBS executive team must consider whether a privacy data breach has (or is likely to have) occurred and make a preliminary judgement as to its severity.
Criteria for determining whether a privacy data breach has occurred
Criteria for determining severity of breach
“Serious harm” could include physical, physiological, emotional, economic/financial or harm to reputation.
At this point the Data Protection Officer will issue a report to include all pertinent details, including any instructions that could be useful by those affected. The report and instructions will then be forwarded to any and all impacted clients. Clients will then be instructed to inform their users. If insufficient information is available at this time, follow up reports will be issued.
In situations where it not be practical to contact all impacted parties, DBS will take reasonable steps to publicize the statement (including publishing on the website).
“Clients” are defined here as anyone to whom DBS is providing a hosted service. For self-hosted applications, DBS will be responsible for notifying those users.
Once the incident has been dealt with, DBS will turn its attention to the following:
Contact for all matters related to privacy, including complaints about breaches of privacy, should be directed as follows:
DBS Data Protection Officer