RYPT

RYPT Data Breach Response Policy

Last modified: 31st May 2024

1. Background

RYPT is committed to protecting the company’s employees, customers, users, partners and the company from illegal or damaging actions by individuals, either knowingly or unknowingly.

The protection and security of the personal data that we process is of paramount importance to us and the company is committed to our obligations under GDPR and maintain a robust and structured program for compliance and monitoring of our data management practices.

Personal data infringements could result in a fine of up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher; and, personal liability can arise where an offence has been committed by the company and it is proved to have been committed with the consent or connivance of or to be attributable to neglect on the part of a director, manager, secretary, or similar officer of the company.

2. Purpose

The purpose of the policy is to establish the procedures that must take place should a personal data breach involving personal information occur either within RYPT or externally by a third-party data processor.

This policy will clearly define to whom it applies and under what circumstances, and it will include the definition of a breach, staff roles and responsibilities, as well as identification, reporting, assessment, and communication mechanisms.

The policy shall be well publicized and made easily available to all personnel whose duties involve data privacy and security protection. RYPT’s intentions for publishing a Data Breach Response Policy are to focus significant attention on data security and data security breaches and how the company’s culture of openness, trust and integrity should respond to such activity.

3. Scope

This policy applies to all RYPT staff, meaning permanent, fixed-term, and temporary staff, as well as any third-party representatives or sub-contractors, agency workers, volunteers, interns and agents, engaged with RYPT in Ireland or internationally.

3.1. Enforcement

Adherence to this policy is mandatory and non-compliance could lead to disciplinary action. Any third-party partner company found in violation may have their network connection terminated.

4. Data Breach Requirements

Under the General Data Protection Regulation (GDPR), personal data breaches that are likely to result in a risk to the rights and freedoms of individuals must be reported to the Data Protection Commissioner (DPC) within 72 hours of first becoming aware of the breach.

5. Data Breach Response Procedure

5.1. Identification of an Incident

A ‘Personal Data Breach’ means a breach of security, system or human failure, error or issue, leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

All staff should be able to identify a breach or incident. As soon as a data incident has been identified, it must be reported to the Data Protection Officer (DPO) immediately so that breach investigation procedures can be initiated and followed without delay. Early recognition and reporting of breaches is essential to ensure the 72-hour time limit for reporting to the DPC is achieved.

5.2. Reporting of Incident

RYPT has developed an Incident Reporting Form for all incidents, which is completed for any data breach, regardless of severity or outcome. Completed forms are logged and reviewed against existing records to ascertain patterns or reoccurrences.

In all cases of data incidents, the DPO is responsible for carrying out a full investigation, appointing the relevant staff to contain the impact of the incident, undertaking an analysis of the incident and, where necessary, making any relevant and legal notifications. A copy of the completed incident form is filed for audit and documentation purposes.

5.3. Take Corrective Actions

As soon as an incident has been reported to the DPO, measures must be taken to contain the impact. Such measures are not in the scope of this document due to the vast nature of such incidents and the variety of measures to be taken. However, the aim of any such measures should be to stop any further risk/breach to the company, customer, partner, user, third party, system or data before investigation and reporting.

5.4. Breach Risk Assessment

In assessing the risk arising from the data breach the DPO should consider:

  • What type of information/data is involved?
  • How many individuals are affected by the breach?
  • Have all of the data subjects affected by the breach been identified and are their contact details available?
  • How sensitive is the information/data?
  • What could the information/data tell a third party about the individual?
  • What happened to the information/Where is it now?
  • Are there any security mechanisms in place (e.g. password protection, encryption)?
  • Is the breach likely to adversely affect the data privacy rights and freedoms of the data subjects concerned?
  • Are there any wider consequences/implications of the incident?

If the breach poses a significant risk to the rights and freedoms of the data subjects involved. the DPO should give instruction on corrective actions and how to prevent the breach from happening in the future.

The DPO should keep an ongoing log and clear report detailing the nature of the incident, steps taken to preserve any evidence, notes of any interviews or statements, the assessment of risk/investigation designating a notifiable breach and any recommendations for future work/actions.

5.4.1. Breach as a Result of Human Error

Where the data breach is the result of human error, an investigation into the root cause is carried out. A review of the procedure(s) associated with the breach is conducted and a risk assessment is completed. Any identified gaps that are found to have caused/contributed to the breach are revised to mitigate any future occurrence of the same root cause. Outcomes can include but are not limited to:

  • Employee training
  • Restriction of access to data or systems
  • Review of vendor due diligence
  • Re-assessment of compliance knowledge

5.4.2. Breach as a Result of System Error/Failure

Where the data incident is the result of a system error/failure, the DPO should assess the risk and investigate the root cause of the incident. A gap analysis is to be completed on the system(s) involved and a full review and report are to be added to the Incident Reporting Form. Any identified gaps that are found to have caused/contributed to the incident are to be revised and risk-assessed to mitigate and prevent any future occurrence of the same root cause.

Full details of the incident should be determined and mitigating action such as the following should be taken to limit the impact of the incident:

  • Attempting to recover any lost equipment or personal data
  • Shutting down a specific system
  • The use of back-ups to restore lost, damaged or stolen information
  • If the incident involves any entry codes or passwords, then these codes must be changed immediately and members of staff informed

5.5. Reporting of Incident to the Data Protection Commission

Where it is likely for an incident to result in a risk to the rights and freedoms of individuals, the DPC is notified no later than 72 hours after the company becomes aware of the breach. The notification to the DPC will contain:

  • A description of the nature of the personal data breach
  • A description of the likely consequences of the personal data breach
  • The categories and approximate number of data subjects affected
  • The categories and approximate number of personal data records concerned
  • The name and contact details of RYPT’s DPO and/or any other relevant point of contact
  • A description of the measures taken to date or proposed measures to address the breach (including measures to mitigate its possible adverse effects)

Where a breach is assessed by the DPO and deemed to be unlikely to result in a risk to the rights and freedoms of natural persons (e.g. where a lost or stolen device is encrypted), RYPT reserves the right not to inform the DPC in accordance with Article 33 of the GDPR.

5.6. Reporting of Incident to Data Subject

When a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the DPO will communicate the circumstances of the personal data breach to the impacted data subject(s) without undue delay, in a written, clear and legible format. The notification to the Data Subject shall include:

  • A description of the nature of the personal data breach
  • A description of the likely consequences of the personal data breach
  • Confirmation that the DPC has been notified
  • The name and contact details of RYPT’s DPO and/or any other relevant point of contact for further information
  • A description of the measures taken or proposed to be taken by the company to address the personal data breach (including measures to mitigate its possible adverse effects)
  • Suggested measures which the Data Subject might take to further minimise the impact of the Breach

RYPT reserves the right not to inform the data subject(s) of any personal data breach where we have implemented the appropriate technical and organisational measures which render the data unintelligible to any person who is not authorised to access it (i.e. encryption, data masking, etc.) or where we have taken subsequent measures which ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialise.

6. Maintaining Records

Incident response procedures are always followed and an investigation is carried out, regardless of our notification obligations and outcomes, with reports being retained and made available to the DPC if requested. Reports are retained for 6 years from the date of the incident. Incident Recording Forms are to be reviewed annually to assess for patterns or breach reoccurrences and actions taken to prevent further incidents from occurring.

7. Staff Support

RYPT will ensure that all staff are provided with the time, resources and support to learn, understand and implement all procedures within this policy, as well as understanding their responsibilities and the data incident reporting lines.

The DPO is responsible for annual compliance audits and gap analysis monitoring.