Logicol de Catalunya S.L. is committed to our obligations under the regulatory system and in accordance with the GDPR. We maintain a robust and structured program for compliance adherence and monitoring. We carry out frequent risk assessments and gap analysis reports to ensure that our compliance processes, functions and procedures are fit for purpose and that mitigating actions are in place where necessary, however should there be any data breaches, this policy states our intent and objectives for dealing with such a breach.
Although we understand that not all risks can be completely mitigated, we operate a robust and structured system of controls, measures and processes to help protect data subjects and their personal information from the risks associated with processing data. The protection and security of the data that we hold and use, including personal information, is paramount to us and we have developed data specific controls and protocols for any breaches involving personal information and data subject to the GDPR requirements.
The purpose of this policy is to provide Logicol de Catalunya S.L.’s intent, objectives and procedures regarding data breaches involving personal information. This policy is specific to personal information and the breach requirements set out in the GDPR.
As we have obligations under the GDPR, we also have a requirement to ensure that the correct procedures, controls and measures are in place and disseminated to all employees if a personal information breach occurs. This policy also notes our processes for reporting, communicating and investigating any such breach.
Whilst it is Logicol de Catalunya S.L.’s aim to prevent data breaches where possible, we do recognise that human error and risk elements occur in business that prevent the total elimination of any breach occurrence. We also have a duty to develop protocols for data breaches to ensure that employees, the supervising authority and associated bodies are aware of how we handle any such breach.
The policy relates to all staff (meaning permanent, fixed term, and temporary staff, any third-party representatives or sub-contractors, agency workers, volunteers, interns and agents engaged with Logicol de Catalunya S.L. in Spain or overseas) within the organisation and has been created to ensure that staff deal with the area that this policy relates to in accordance with legal, regulatory, contractual and business expectations and requirements.
Logicol de Catalunya S.L.’s definition of a personal data breach for the purposes of this policy is any breach of security, lack of controls, system or human failure, error or issue that leads to, or results in, the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
Alongside our 'Privacy by Design' approach to protecting data, we also have a legal, regulatory and business obligation to ensure the maximum security of data that is processed, including as a priority, when it is shared, disclosed and transferred. Our Information Security Policy & Procedures and GDPR Policy & Procedures provide the detailed measures and controls that we take to protect personal information and to ensure its continued security.
We carry out information audits to ensure that all personal data held and processed by us is accounted for and recorded, alongside risk assessments as to the scope and impact a data breach could have on data subject(s). We have implemented adequate, effective and appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including (but not limited to):
Logicol de Catalunya S.L. has robust objectives and controls in place for preventing data breaches and for managing them in the rare event that they do occur. Due to the nature of our business, Logicol de Catalunya S.L. process and stores personal information and confidential data and as such, we have developed a structured and documented breach incident program to mitigate the impact of any data breaches and to ensure that the correct notifications are made.
We carry out frequent risk assessments, reviews, audits and gap analysis reports on all processing activities and personal data storage, transfers and destruction to ensure that our compliance processes, functions and procedures are fit for purpose and are mitigating the risks wherever possible.
All data breaches will be investigated, even in instances where notifications and reporting is not required and we retain a full record of all data breaches to ensure that gap and pattern analysis are used. Where a system or process failure has given rise to a data breach, revision to any such process is recorded in the Change Management and Document Control records.
As soon as a data breach has been identified, it is reported to the Compliance Officer immediately so that breach procedures can be initiated and followed without delay.
Reporting incidents fully and with immediate effect is essential to the compliant functioning of Logicol de Catalunya S.L. and is not about apportioning blame. These procedures are for the protection of Logicol de Catalunya S.L., its staff, customers, clients and third parties and are of the utmost importance for legal regulatory compliance.
As soon as an incident has been reported, measures must be taken to contain the breach. Such measures are not in the scope of this document due to the vast nature of breaches and the variety of measures to be taken; however, the aim of any such measure should be to stop any further risk/breach to the organisation, customer, client, third-party, system or data prior to investigation and reporting.
Logicol de Catalunya S.L. utilises the Breach Incident Form for all incidents and is completed after every instance of a data breach, regardless of severity or outcome. Completed forms are logged in the Breach Incident Folder and reviewed against existing records to ascertain any patterns or reoccurrences.
In cases of data breaches, the Compliance Officer is responsible for carrying out a full investigation, appointing the relevant staff to contain the breach, recording the indecent on the breach form and making any relevant and legal notifications. The completing of the Breach Incident Form is only to be actioned after containment has been achieved.
A full investigation is conducted and recorded on the incident form, the outcome of which is communicated to all staff involved in the breach in addition to upper management. A copy of the completed incident form is filed for audit and record purposes.
If applicable, the Supervisory Authority and the data subject(s) are notified in accordance with the GDPR requirements (refer to Breach Notifications section this policy). The Supervisory Authority protocols are to be followed and their 'Security Breach Notification Form' should be completed and submitted. In addition, any individual whose data or personal information has been compromised is notified if required, and kept informed throughout the investigation, with a full report being provided of all outcomes and actions.
Where the data breach is the result of human error, an investigation into the root cause is to be conducted and a formal interview with the employee is to be held.
A review of the procedure/s associated with the breach is to be conducted and a full risk assessment completed in accordance with Logicol de Catalunya S.L. existing Risk Assessment Procedures. Any identified gaps that are found to have caused/contributed to the breach are to be revised and risk assessed to mitigate any future occurrence of the same root cause.
Resultant employee outcomes of such an investigation can include, but are not limited to:
Where the data breach is the result of a system error/failure, the IT team is to work in conjunction with the Compliance Officer to assess the risk and investigation the root cause of the breach. A gap analysis is to be completed on the system/s involved and a full review and report to be added to the Breach Incident Form.
Any identified gaps that are found to have caused/contributed to the breach are to be revised and risk assessed to mitigate and prevent any future occurrence of the same root cause.
Full details of the incident should be determined and mitigating action such as the following should be taken to limit the impact of the incident:
The Compliance Officer should ascertain what information was involved in the data breach and what subsequent steps are required to remedy the situation and mitigate any further breaches.
The lead investigator should look at:
The appointed lead should keep an ongoing log and clear report detailing the nature of the incident, steps taken to preserve any evidence, notes of any interviews or statements, the assessment of risk/investigation and any recommendations for future work/actions.
Logicol de Catalunya S.L. understands that we have obligations and a duty to report data breaches in certain instances. All staff are aware of these circumstances and we have strict internal reporting lines to ensure that data breaches falling within the notification criteria are identified and reported without undue delay.
The Supervisory Authority is to be notified of any breach where it is likely to result in a risk to the rights and freedoms of individuals. These are situations which if the breach was ignored, it would lead to significant detrimental effects on the individual.
Where applicable, the Supervisory Authority is notified of the breach no later than 72 hours after us becoming aware of it and are kept notified throughout any breach investigation, being provided with a full report, including outcomes and mitigating actions as soon as possible and always within any specified timeframes.
If for any reason it is not possible to notify the Supervisory Authority of the breach within 72 hours, the notification will be made as soon as is feasible, accompanied by reasons for any delay. Where a breach is assessed by the Compliance Officer and deemed to be unlikely to result in a risk to the rights and freedoms of natural persons, we reserve the right not to inform the Supervisory Authority in accordance with Article 33 of the GDPR.
The notification to the Supervisory Authority will contain:
Breach incident procedures and an investigation are always carried out, regardless of our notification obligations and outcomes and reports are retained to be made available to the Supervisory Authority if requested.
Where Logicol de Catalunya S.L. acts in the capacity of a processor, we will ensure that controller is notified of the breach without undue delay. In instances where we act in the capacity of a controller using an external processor, we have a written agreement in place to state that the processor is obligated to notify us without undue delay after becoming aware of a personal data breach.
When a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, we will always communicate the personal data breach to the data subject without undue delay, in a written format and in a clear and legible format.
The notification to the Data Subject shall include:
We reserve the right not to inform the data subject of any personal data breach where we have implemented the appropriate technical and organisational protection measures which render the data unintelligible to any person who is not authorised to access it (i.e. encryption, data masking etc) or where we have taken subsequent measures which ensure that the high risk to the rights and freedoms of the data subject is no longer likely to materialise.
If informing the data subject of the breach involves disproportionate effort, we reserve the right to instead make a public communication whereby the data subject(s) are informed in an equally effective manner.
All records and notes taking during the identification, assessment and investigation of the data breach are recorded and signed by the Compliance Officer and are retained for a period of 7 years from the date of the incident. Incident forms are to be reviewed monthly to assess for patterns or breach reoccurrences and actions taken to prevent further incidents from occurring.
Logicol de Catalunya S.L. will ensure that all staff are provided with the time, resources and support to learn, understand and implement all procedures within this document, as well as their responsibilities and the breach incident reporting lines.
The Compliance Officer is responsible for regular compliance audits and gap analysis monitoring and their subsequent reviews and action follow ups.
Security controls work together to reduce risk in Logicol de Catalunya S.L.’s environment. These controls include security monitoring, firewalls, logging, and many others. Many of these security controls are also used to notify Logicol de Catalunya S.L management whenever a suspected incident takes place or there is a system anomaly detected in Logicol de Catalunya S.L.’s IT environment. This allows Logicol de Catalunya S.L management to respond to and perform necessary activities to limit damage being caused. Users also play an important role in supporting the incident response process, by reporting anomalies they are encountering, such as a suddenly slower computer, accidental viewing of confidential data in the clear, or a lost removable computer drive.
Maintaining an effective incident response program is critical to safeguarding Logicol de Catalunya S.L. from attacks, which can lead to a security breach (intentional or unintentional), causing harm to Logicol de Catalunya S.L.’s finances, operations, and brand name..
This policy applies to Logicol de Catalunya S.L. employees, third-parties, service providers, contractors, temporary employees, and/or other staff members at Logicol de Catalunya S.L., whether conducting activities on Logicol de Catalunya S.L. premises or off-site where personal data is present.
This policy applies to all systems, applications, and equipment owned and/or leased by Logicol de Catalunya S.L. where personal data is present.
Security controls and tools are to be configured to alert Logicol de Catalunya S.L. management of suspected or actual security events in real-time. Incidents can be identified from a variety of sources, to include, alerts from anti-virus and intrusion detection/prevention alerts, scans and tests, log reviews, Server Management team notifications, content file changes, general review processes, wireless scans or wireless intrusion detection systems, and others.
Notifications may also be provided from external sources, such as customers, law enforcement agencies, or the credit card brands. Additionally, Logicol de Catalunya S.L. staff are to be trained to identify anomaly behaviour and to notify Logicol de Catalunya S.L. management immediately. Logicol de Catalunya S.L. management must have a point of contact available 24/7/365 to receive these alerts and notifications and to begin the response process.
Should the suspected or actual incident be related to a breach of personal data, the Data Breach Policy & Procedures document should be followed to ensure compliance with the GDPR. If the breach involves payments, the payment system owners are to be notified immediately.
The Logicol de Catalunya S.L. management point of contact is to review the alert or notification and qualify whether it is necessary to initiate the incident response plan. In some cases, the occurrence may be a false positive or not a result of foul play. In these cases the Logicol de Catalunya S.L. management point of contact is to remediate the event and there is no need to initiate the incident response plan.
The Logicol de Catalunya S.L. management point of contact is to notify the remainder of the Incident Response Team (IRT) upon initiation of the incident response plan. The point of contact is to use the contact details, detailed in the Incident Response Plan in the Incident Management Procedure. All IRT members are expected to have their phones or pagers readily available in order to receive notifications.
In order to effectively respond to the incident, the IRT reviews the current and potential impact of the environment, assets being affected, damage, and prioritisation of the response.
The classification levels are detailed in the Incident Response Plan. In addition, the members of the IRT may be called in to initiate specific actions, such as notifying the, ICO, credit card brands, the media, Logicol de Catalunya S.L. employees, or to shut down systems.
The IRT is to respond to the incident following the methods defined in the Incident Response Plan. A third party resource may also be called in, as necessary, to perform emergency response services.
The IRT must determine whether the incident has had any impact on clients, and if so communicate this within 24 hours of noticing the incident. The IRT shall ensure that a process is established for dealing with incidents that require forensic investigation. This must include the ability to collect, analyse and preserve evidence in a forensically sound manner to support criminal proceedings if required.
The IRT Leader is to document the incident and the IRT’s actions and status as soon as it is feasible to do so. This documentation is to be kept updated with the progress and retained on file after the incident has been closed. This is especially necessary should Logicol de Catalunya S.L. move towards prosecuting the individual/s responsible for the incident. If the incident includes a breach of personal data, the Data Breach Incident Form should be completed.
After an actual incident or the annual test, the IRT should have a meeting to discuss how to improve the incident response process and to discuss industry developments. The Incident Response Plan should be updated as applicable. The Lessons Learned are to be documented, and as a result of each meeting shall store a record with the conclusions.
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
Begin keeping records of all your actions, with the date and time of each one.
In brief the plan consists of the following phases:
Containment – Eradication – Recovery - Follow-up
The IRT Leader will:
The IRT Leader should then immediately contact the members of the IRT team to arrange an emergency meeting.
The IRT Leader will share all the information they have with the IRT team members. The team will identify the full scope of the issue and take whatever steps are necessary to contain the situation.
The Security Officer will:
Clear communication is paramount; the IRT team should ensure all relevant parties are kept informed as to what is being done at regular intervals throughout the process.
Once the Incident is fully contained the IRT team should work together to completely eradicate the problem this may require a number of steps to achieve a full recovery of affected systems.
Once the incident has been resolved and a full recovery in place, the IRT team should reconvene in a follow-up meeting to discuss lessons learnt and consider whether any of the following steps are required:
If the incident impact on Amazon Data, Logicol de Catalunya S.L will inform Amazon (via email to firstname.lastname@example.org) within 24 hours of detecting any Security Incidents. Logicol de Catalunya S.L will not notify any regulatory authority, nor any customer, on behalf of Amazon unless Amazon specifically requests in writing that the Developer do so.