Data Breach Procedure

Data Breach Procedure

First version: 2021-04-15
Last updated: 2023-10-19
Last change: Link to Data Protection policy
Last reviewed: 2024-10-30

Introduction

Every care is taken by anDREa to protect personal data from situations where a data protection breach could compromise security. 

This policy and procedure applies to all staff, partners, (sub)contractors, tenants, and users or third parties we work with. It should be read in conjunction with the anDREa’s Data Protection Policy.

The objective of this policy is to enable staff to act promptly to contain any breaches that occur, minimizing the risk associated with the breach and to take action if necessary to secure personal data and prevent further breaches. 

anDREa expects its staff and delegated people to embed security and prevention practices in their normal working day to ensure personal, or special category, data is protected for the purposes of Workspaces in the Shared Tenant of anDREa and must take appropriate steps to safeguard this information. 

Under the Data Protection Act, although there is no legal obligation on data controllers to report breaches of security, the new General Data Protection Regulation (GDPR) means we have to report any breach that is likely to impact on data subjects. The procedure below is set out to help identify when a breach has taken place and what the action should be. 

Definitions


Data Breach Procedure

1 Identifying and Reporting a Data Breach 

If you discover a data breach, establish whether is related to: 
  1. anDREa user data/accounts 
  2. data in a Workspace accessed or accessible by unauthorized people or services 
  3. (study) data accessed or accessible by unauthorized people or services other than via a Workspace 
 
When #3 is applicable, please contact the Chief Technology Officer (CTO) of the responsible Tenant and/or the person responsible for that data. If this is impossible, please contact anDREa’s Data Protection Officer: Contact information
 
When #1 or #2 is applicable you must report this to anDREa’s Chief Technology Officer (CTO) immediately. 
Info
  1. Go to https://support.mydre.org/portal/en/myarea
    1. If needed, please create an account first
  2. Click Add ticket
  3. Click myDRE
  4. Choose the appropriate template
  5. Fill in the template and submit
 
anDREa’s Data Protection Officer is Stefan van Aalst and any breach, or suspected breach, can be sent for his attention via: Contact information
 
All breaches big or small, regardless of the harm or potential harm, should be identified and reported. 
 
False alarms or even breaches that do not cause any harm to individuals or to anDREa should nevertheless be reported as it will enable anDREa to learn lessons in how to respond and the remedial action that we put in place. 
 
We have a legal obligation to keep a register of all data breaches. Please ensure that you report any breach, even if you are unsure whether or not it is a breach. 
 
It is the responsibility of the DPO, not yours, to report to the authorities.

Notes
anDREa is not obliged to have a Data Protection Officer (DPO), the DPO responsibilities fall under the responsibilities of anDREa Chief Technology Officer (CTO)
 

2 Investigating the Data Breach 

When you report a data breach to the CTO, they will promptly investigate the breach to ascertain whether we are fully aware that a breach has occurred leading to personal data being compromised for our data subjects. 
 
The investigation will be done within 48 hours of a breach being reported to anDREa, so that it can ensure it complies with the 72 hour deadline to report any data subject or serious security breaches in a timely way to the CTO data breach may result in disciplinary action. 
 

3 Assessing the Data Breach 

Once you have reported a breach and our CTO has investigated it and has decided that we are aware that a breach has occurred, CTO will log the breach in our Data Breach Register and will carry out an initial assessment of the breach to evaluate its severity. 
 
Once the level of severity is known, our CTO will notify management. If necessary, we will appoint a response team which may involve for example our HR and IT teams and we will assign responsibility for particular tasks as necessary across the response team. 
 
We will then investigate the breach and consider any on-going risks to anDREa and any individuals affected. If our CTO and management consider that the breach is very serious, they will consider the impact on our reputation and the effect it may have on the trust placed in us.   

4 Formulating a Recovery Plan 

Our CTO and senior management will investigate the breach and consider a recovery plan, if required, to minimise the risk to individuals. As part of the recovery plan, our CTO and senior management may interview any key individuals involved in the breach to determine how the breach occurred and what actions have been taken. 

5 Notifying a Data Breach to Autoriteit Persoonsgegevens (AP) 

Unless the breach is unlikely to impact on data subjects or result in a risk to the rights and freedoms of individuals, we must notify the breach to the AP within 72 hours of becoming aware of the breach. We must also notify the individuals concerned as soon as possible where the breach is likely to result in a high risk to their rights and freedoms. 
 
The content of the notification will be drafted by our CTO, and any notification to the AP must only be made by the CTO. 

 

6 Notifying a Data Breach to Individuals/Tenants  

We must also notify the individuals concerned as soon as possible where the breach is likely to result in a high risk to their rights and freedoms. 
 
The content of the notification will be drafted by our CTO in line with our procedures and in conjunction with consulting the AP if considered necessary. We will notify individuals and Tenants in clear and plain language and in a transparent manner (for example by email or SMS). Please be aware that under no circumstances must you try and deal with a data breach yourself.  
 
In some circumstances, we may not need to notify the affected individuals. Our CTO will decide whether this is the case. 

7 Updating Notifications 

We need to keep the AP up to date about the data breach. If anything changes from the time we send the initial notification to the AP, our CTO will consider whether we need to update the AP about the data breach. 

8 Evaluation and Response 

The key to preventing further incidents is to ensure that anDREa learns from previous incidents. 
 
It is extremely important to identify the actions that anDREa needs to take to prevent a recurrence of the incident. Our CTO and the Senior Leadership Team will carry out an evaluation as to the effectiveness of our response to the data breach and document this in our Data Breach Register. Senior management may then make changes to anDREa’s procedures to minimize the likelihood of incidents occurring again. 



    • Related Articles

    • Contingency Procedure (A.17.1.2)

      Introduction anDREa is committed to protecting the security of its business information in the face of incidents and unwanted events and  has implemented an Information Security Management System (ISMS) that is compliant with ISO/IEC/27001:2013, the ...
    • Data - ownership, responsibility, and control

      Ownership of data can be a tricky question when it comes down to personal data or data of persons. For instance, it is not unlikely that it depends on what subsection of Article 6 was used. By design, myDRE is a pragmatic and solid answer to a, ...
    • EU Data Protection Code of Conduct for Microsoft Azure

      Trust in cloud computing is essential (copied from euroc.cloud) It has never been more true than today to assert that without user trust, technology will not be able to advance to reach its full potential. At the core of building trust is robust data ...
    • Data Protection Impact Assessment (DPIA)

      First version: 2021-05-13 Last updated: 2024-03-07 Last change: Added link to NEN-7510 article. Introduction anDREa is committed to the GDPR. The purpose of this document is to describe anDREa’s Data Protection Impact Assessment (DPIA). The template ...
    • Data Handling policy

      First version: 2021-05-13 Last updated: 2023-10-19 Last change: Removed a double negative sentence based on the feedback in our Support Team Agreement. Introduction anDREa B.V. (hereafter called anDREa) is committed to protect the data and privacy of ...