1. Purpose

This policy establishes the guidelines for the detection, reporting, and response to data breaches involving personal and sensitive information held by Switcheroo.co.uk, ensuring compliance with applicable laws and regulations.

2. Scope

This policy applies to all employees, contractors, and third-party service providers of Switcheroo.co.uk who have access to personal and sensitive data.

3. Definitions

  • Data Breach: Any unauthorized access, disclosure, alteration, loss, or destruction of personal or sensitive data.
  • Personal Data: Any information relating to an identifiable person.
  • Sensitive Data: Special categories of personal data requiring higher levels of protection.

4. Roles and Responsibilities

  • Data Protection Officer (DPO): Oversees data protection strategy and implementation.
  • IT Security Team: Responsible for maintaining secure systems, detecting breaches, and implementing corrective measures.
  • All Employees: Required to report any suspected data breaches immediately.

5. Breach Detection

Proactive measures will be employed to detect data breaches, including but not limited to:

  • Regular system audits.
  • Intrusion detection systems.
  • Employee training and awareness programs.

6. Reporting a Breach

In the event of a data breach or suspected breach, the incident must be reported immediately to the DPO and IT Security Team.

7. Breach Assessment

Upon notification of a breach, the IT Security Team will:

  • Conduct an initial assessment.
  • Determine the scope and impact of the breach.
  • Notify the DPO and senior management.

8. Notification Procedures

In the case of a significant breach, the following notification procedures will be enacted:

  • Regulatory Notification: Inform relevant authorities in accordance with GDPR or other applicable regulations within 72 hours of the breach discovery.
  • Individual Notification: Inform affected individuals without undue delay if the breach poses a high risk to their rights and freedoms.

9. Documentation and Record Keeping

All data breaches will be documented, detailing:

  • The nature of the personal data involved.
  • The likely consequences of the breach.
  • The measures taken or proposed to address the breach.

10. Review and Evaluation

This policy and its procedures will be reviewed annually or after a significant breach to ensure effectiveness and compliance with evolving data protection regulations.