top of page

Data Breach Policy

Policy Statement
 

Legacy Oak Group Limited Limited (hereinafter referred to as the “Company”) are committed to the requirements under the regulatory scheme and in line with the GDPR/DPA18 guidance also known as GDPR to ensure a thorough and structured programme is provided for compliance and monitoring.

At our firm we endeavour to carry out frequent assessments to determine potential risks and reports to ensure all compliance processes and procedures are correct and solutions in place for any potential breaches. The following policy outlines the procedures we have in place should a breach occur.

We understand not all risks can be mitigated; however, we ensure all personal data is held with complete privacy and confidentiality to prevent any breaches from occurring. Individual data protection and security is absolute paramount to us, we therefore have developed a robust specific procedures to use should any GDPR related risks/breaches occur.

Purpose

The purpose of this policy is to provide our intentions and values in relation to data and personal information. Here at Legacy Oak Group Limited we ensure it is our obligation to continuously adapt and improve procedures, controls and solutions are in place for all employees. We believe this is important and we therefore also provide extensive training to all members of staff. This allows all employees to be aware of the protocols and reporting procedures in place for personal information breaches. The following policy outlines and shows the processes we have in place at Legacy Oak Group Limited for identifying, reporting, cooperating, and investigating such incidents.

Scope

This policy applies to and is expected to be adhered to by every employee within the business here at Legacy Oak Group Limited despite employment conditions. Every member of staff here at the firm whether temporary, permanent, agency, volunteers, interns, and agents within the UK or overseas are all expected to follow this process and policy. Should this policy be ignored or not adhered to, relevant action will be taken by the company and could lead to disciplinary action or even a dismissal.

Data Security G Breach Requirements

Here at Legacy Oak Group Limited the definition of a data breach is any incident that involves the security, loss of control, system or staff failure that results in the loss, unauthorised disclosure or access to individuals’ personal data.

Further to our Privacy Policy, we also have a legal business obligation here at Legacy Oak Group Limited to ensure all personal information is protected whilst being processed by ourselves. These processes and obligations are stated within our Data Protection Policy C Procedures and Information Security Policies.

To ensure our policies are consistently adhered to, we follow and complete a variation of audits to ensure personal data is being accurately defined, assessed, and recorded. These risk assessments assess the impact of a potential breach. To prevent this from occurring we have implements thorough technical measures to ensure the security is consistently appropriate to the risks;

  • Encryption of personal data

  • Restricted access

  • Reviewing, auditing and improvement plans

  • Disaster Recovery and Business Continuity Plan

  • Audit procedures and stress testing on a regularly basis

  • Frequent and ongoing data protection training programs for all employees

  • Staff assessments and regular knowledge testing to ensure a high level of competency, knowledge and understanding.

  • Reviewing internal processes to ensure that where personal information is transferred, disclosed, shared or is due for disposal; it is rechecked and authorised by the DPO.
     

    Objectives

  • To adhere to the GDPR and UK Data Protection Act 2018 and to have robust and adequate procedures and controls in place for identifying, investigating, reporting and recording any data breaches

  • To develop and implement adequate, effective and appropriate technical and organisational measures to ensure a high level of security with regard to personal information

  • To utilise information audits and risk assessments for mapping data and to reduce the risk of breaches

  • To have adequate and effective risk management procedures for assessing any risks presented by processing personal information

  • To ensure that any data breaches are reported to the correct regulatory bodies within the timeframes set out in any regulations, codes of practice or handbooks

  • To use breach investigations and logs to assess the root cause of any breaches and to implement a full review to prevent further incidents from occurring

  • To use the Data Breach Incident Form for all data breaches, regardless of severity so that any patterns in causes can be identified and corrected

  • To protect consumers, clients and employees, including their information and identity

  • To ensure that where applicable, the Data Protection Officer is involved in and notified about all

    data breaches and risk issues

  • To ensure that the Supervisory Authority is notified of any data breach (where applicable) with immediate effect and at the latest, within 72 hours of the Company having become aware of the breach
     

  • Data Breach Procedures G Guidelines

  • Here at Legacy Oak Group Limited we have thorough procedures in place to ensure the prevention of data breaches, whilst also having clear solutions should a breach occur. Our procedures for identifying, managing, and investigating a breach are detailed below. Here at Legacy Oak Group Limited, our documented breach incident policy aims to deal with each breach and its impact correctly whilst ensuring relevant notifications are made.
     

  • Breach Monitoring G Reporting
     

    Legacy Oak Group Limited has appointed Shaban Ali who is responsible for the review and thorough investigation of any data breach that may occur involving personal information. In such cases, the incident is not judged based on its level of severity or impact. All cases are dealt with fairly and with the same solutions. If in the case of a breach, all breaches must be reported to this individual immediately to ensure all procedures are followed therein.

    All data breaches within the company will be investigated fairly. Here at Legacy Oak Group Limited, a full record of breaches is kept and retained.
     

    Breach Incident Procedures
     

    Identification of an Incident

    Here at Legacy Oak Group Limited as soon as a breach has been identified, it is reported to the direct line manager and reporting officer to ensure the breach procedures are followed with immediate effect. This is essential to allow the successful running of the Company where employees are expected to follow the relevant procedures, they are made aware of. Here at Legacy Oak Group Limited all employees are aware that this is there to protect the company, employees, customers but most importantly for the legal regulatory compliance.

    As soon as a potential breach has been reported and relevant managers have been notified, measures must be followed to contain the breach. All breaches must be reported via the incident form with immediate effect.

Breach Recording

Here at Legacy Oak Group Limited we use the same Breach Incident Form for all incidents regardless of their severity or outcome. Any form that is completed is stored within the Breach Incident Folder as a electronic copy and consistently reviewed against existing incidents to determine potential reoccurrences.

If a data breach occurs, it is the responsibility of Shaban Ali to complete a full thorough investigation. This member of staff will be expected to also record the entire breach making all relevant and legal notices. Following this, a full investigation is to be completed. The outcome is then to be communicated to all staff involved alongside the senior managers. A copy of the completed investigation is then filed on site.

If necessary, the Supervisory Authority form – ‘Security Breach Notification Form’ must be completed and submitted by Shaban Ali. In addition, any individual that has been directly impacted by this breach must be notified if required and kept informed during the investigation with a thorough report being provided of the outcomes and actions.
 

Breach Risk Assessment

Human Error

If the breach is because of human error, a thorough investigation will be carried out to identify the reason for this breach, followed by an interview with the employee(s) involved.
 

The investigation will also include a review of the procedures in place here at the firm and a full risk assessment following the Risk Assessment Procedures. This will identify any gaps that could potentially be the reason for the breach to have occurred. Following this, procedures will be corrected to ensure further breaches do not take place.

Consequential employee outcomes of such an investigation can include, but are not limited to: -

  • Re-training in specific/all compliance areas

  • Re-assessment of compliance knowledge and understanding

  • Suspension from compliance related tasks

  • Formal warning (in-line with the Company’s disciplinary procedures)
     

    System Error

    If the breach is consequently as a result of a system error/failure, the designated IT team work alongside the DPO to identify and investigate the reasoning for the breach. An analysis is further completed on the systems used and a full report is drawn up and added to the Breach Incident Form.
     

  • Throughout the investigation, any identified causes/contributors to the breach will be assessed and revised to further prevent any occurrences from taking place. The following should then be referred to when dealing with the incident;

  • Attempting to recover any lost equipment or personal information

  • Shutting down an IT system

  • Removing an employee from their tasks

  • The use of back-ups to restore lost, damaged or stolen information

  • Making the building secure

  • If the incident involves any entry codes or passwords, then these codes must be changed immediately, and members of staff informed
     

    Assessment of Risk and Investigation

    The DPO is expected to determine what areas of information were involved in the breach and ensure further breaches are prevented.

    The principal investigator should look at: -
     

  • The type of information involved

  • It's sensitivity or personal content

  • What protections are in place (e.g. encryption)?

  • What happened to the information/Where is it now?

  • Whether there are any wider consequences/implications to the incident
     

    The DPO should keep a continuous report involving the contents of the proposed incident, any action taken to keep the evidence, minutes from the interviews/statements, minutes from the investigation and any proposed actions that will be required.
     

  • Breach Notifications

    Legacy Oak Group Limited identifies the responsibility to immediately report potential breaches in all circumstances. All employees are trained and competent in the firms responsibilities and the firm reporting procedures that have been implemented. These procedures are to ensure all breaches are reported and acted upon immediately.
     

    Supervisory Authority Notification

    In the case of detrimental effects on an individual, it is paramount to inform the Supervisory Authority should a potential breach occur. Such occurrences should not be ignored as outlined above. Here at Legacy Oak Group Limited we ensure the Supervisory Authority is informed of the potential breach no later than 72 hours.
     

    The full investigation and report alongside the outcomes are provided within a agreed timescale.
     

    Should the Supervisory Authority not be informed within 72 hours, a thorough explanation will be provided as to why there is a potential delay. If in any case the investigation has been completed by the DPO and has been identified as unlikely to result in a breach or risk to any individual, the firm has the right to not inform the Supervisory Authority in accordance with Article 33 of the GDPR guidance.
     

    The notification to the Supervisory Authority will contain: - • A description of the nature of the personal data breach
     

  • The categories and approximate number of data subjects affected

  • The categories and approximate number of personal data records concerned

  • The name and contact details of our Data Protection Officer and/or any other relevant point of contact (for obtaining further information)

  • A description of the likely consequences of the personal data breach

  • A description of the measures taken or proposed to be taken to address the personal data breach

    (including measures to mitigate its possible adverse effects)
     

    Legacy Oak Group Limited ensures all breach incident procedures are followed and a thorough investigation is carried out. Every aspect of this report is then available to the Supervisory Authority if requested.
     

    If Legacy Oak Group Limited is acting as a processor, the controller firm will be informed of the breach without delay. Furthermore, in instances of where we are the controller using an external processor, a written agreement is in place to show that the processor is responsible to inform us without postponement after being notified of the data breach.
     

    Data Subject Notification

    Subject to the breach, if there is a potential/high risk to the rights of individuals, Legacy Oak Group Limited will ensure there is direct communication without delay and within a respectable format.
     

  • The notification to the Data Subject shall include: -
     

  • The nature of the personal data breach
     

  • The name and contact details of our Data Protection Officer and/or any other relevant point of

    contact (for obtaining further information)
     

  • A description of the likely consequences of the personal data breach
     

  • A description of the measures taken or proposed to be taken to address the personal data breach (including measures to mitigate its possible adverse effects)
     

    We reserve the right not to inform the data subject of any personal data breach where we have implemented the appropriate technical and organisational measures which render the data unintelligible to any person who is not authorised to access it (i.e. encryption, data masking etc) or where we have taken subsequent measures which ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialise.
     

    If informing the data subject of the breach involves disproportionate effort, we reserve the right to instead make a public communication whereby the data subject(s) are informed in an equally effective manner.
     

    Record Keeping

    Here at Legacy Oak Group Limited every single record and note taken during the process of identifying and investigating a breach is recorded and authorised by the DPO and retained for 6 years from the original date of the occurrence. Throughout this period of time, incidents forms are reviewed on a monthly basis to provide research and evidence to ensure there is not a reoccurring occurrence of similar incidents.
     

    Responsibilities

    Here at Legacy Oak Group Limited we ensure every single employee is provided with the relevant time, training, resources, and support to learn and become familiar with all procedures within this document. We further ensure every single employee is aware of their responsibility towards understanding their role and obligation towards GDPR and the reporting procedures.
     

The DPO is responsible for ensuring regular and thorough audits, reviews and follow ups are completed to ensure all processes are competent and adhered to. There is also a continuous audit of compliance reviews that take place.

bottom of page