Data Breach Policy

This Data Breach Policy sets out how EMW STax Limited (“we,” “our,” “us,” “the company”) manage a data breach of Personal Data of our clients, prospective clients, suppliers, employees, workers, business contacts and other third parties.

SCOPE OF POLICY AND WHEN TO SEEK ADVICE ON DATA PROTECTION COMPLIANCE

We recognise that the correct and lawful treatment of Personal Data will maintain trust and confidence in the organisation and will provide for successful business operations. Protecting the confidentiality and integrity of Personal Data is a critical responsibility that we always take seriously. The Information Commissioner’s Office (ICO) can impose fines for breaches of data protection laws, including GDPR. Maximum fines can reach up to £17.5M or 4% of annual global turnover, whichever is the higher.

Everyone in the company is responsible for ensuring they comply fully with this Data Breach Policy and need to understand their responsibilities and the process to be followed in the event of a data breach.

What is a personal data breach?

A personal data breach is an instance where a breach of security leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.

Examples of personal data breaches include:

  • Access by an unauthorised third party.
  • Deliberate or accidental action (or inaction) by a controller or processor.
  • Sending personal data to an incorrect recipient.
  • Computing devices containing personal data being lost or stolen.
  • Alteration of personal data.

A personal data breach can be defined as a security incident that has affected the confidentiality, integrity, or availability of personal data. This means that a breach occurs whenever any personal data is accidentally lost, destroyed, corrupted, or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable and this unavailability has a significant impact on individuals.

Risk assessing a data breach

In the event a data breach occurs you must notify immediately notify Craig Powell as soon as you become aware a breach has occurred. You must not attempt to investigate or rectify the matter yourself. At this stage we will take steps to contain the breach and assess the potential adverse impact on any individuals.

Craig will consider the outcome of the assessment of the breach and determine if there is a requirement to notify the breach to the ICO and/or the individual affected by the breach. This is dependent on the potential adverse impact on any individuals. All evidence relating to a potential data breach must be preserved for future review.

When do we need to tell individuals about a breach?

If the data breach is likely to adversely affect an individuals’ rights and freedoms, there will be a requirement to report the data breach to the ICO. The facts will be compiled into a report and notified to the ICO within 72 hours of the data breach occurring.

Where the data breach is likely to adversely affect an individuals’ rights and freedoms, we must provide the following information in a clear and transparent manner:

  • Give details of the nature of the personal data breach.
  • The name and contact details of the person where more information can be obtained.
  • A description of the possible consequences of the personal data breach; and
  • A description of the measures taken or proposed to deal with the personal data breach and, where appropriate, a description of the measures taken to mitigate any possible adverse effects.

Where we engage with any third-party introducer and where communication is directly with the introducer and not an individual client we must inform the third party of any relevant personal data breach and potential risks to the individual without undue delay, and no later than within 72 hours of becoming aware of the data breach.

How we collect and process personal data/information

Our Privacy Policy contains full information about how we collect and process your personal information. View the policy here.

Data Retention Policy

Full details on our Data Retention Policy can also be found here.