GDPR

GDPR & Information Security Incident Management

Purpose

The purpose of this policy is to provide guidelines for dealing with any GDPR & Information Security incident or Threat.

Scope

This procedure applies to all Ecology Co-op employees, Contractors, consultants, and temporary staff.  It is to be invoked whenever there is an event which compromises the confidentiality, availability or integrity of any data or information whether Personal or Business

Responsibility

The responsibility for this procedure lies with the Managing Director, its day-to-day implementation is the responsibility of the Operations Manager / Management Team.

Related Documents

Ref: Incident report form

Ref: NCR CAP Spreadsheet

Procedure

Identification: Any such incident should be immediately reported to the Operations Manager, who will issue an Incident Report Form and log the incident on the Incident Report Log.

GDPR Identification: Any Personal data incident should be immediately reported to the Operations Manager and Managing Director, who will ensure the incident is raised as an NCR as per the file path above but in addition reported to the Information Commissioners Office if required under our obligations for GDPR.

Information Security Identification: Any Information security incident should be immediately reported to the Operations Manager and Managing Director, who will ensure the incident is raised as an NCR as per the file path above and any investigatory authorities be informed as and when required. Please see below process flow for step-by-step instructions.

Response: The response, escalation and reporting of the incident will be discussed and determined by the Operations Manager / Management Team and IT Provider.

Recovery: Any recovery or corrective actions will be agreed and documented on the incident Report form, Log and NCR Spreadsheet as appropriate.

Post incident review

Preventive actions will be agreed and documented as part of the non-conformity process, the incident shall cross reference the NCR report.  All NCRs will be held open until all actions complete, then signed off by the Operations Manager.