DATA PROTECTION BREACH

REPORTING PROCEDURE
INTRODUCTION

Background

Solvo is obligated under data protection legislation to maintain the security of

personal data and to respond promptly and appropriately in the event of a breach of
personal data security (hereinafter referred to as a “data breach”).

The purpose of these Procedural Guidelines is to provide a framework for the

notification and management of breaches involving personal data controlled and
processed by Solvo. The Guidelines complement Solvo's Data Protection Policy,
which affirms the commitment to protect the privacy rights of Customers and
Soulvers in accordance with data protection legislation.

Purpose

The purpose of an incident response is to ensure that:

 Data breach events are detected, reported, categorised and monitored

consistently.
 Incidents are assessed and responded to appropriately.
 Action is taken to reduce the impact of disclosure
 Mitigation improvements are put in place to prevent recurrence
 Serious breaches can be reported to the Information Commissioner
 Lessons learnt are communicated to the SOLVO C-Level, as appropriate,
who will work to prevent future incidents.

2. INCIDENT MANAGEMENT

Definition

A Data Protection breach is the result of an event or series of events where

Personally Identifiable Information is not stored, destroyed or shared with person(s)
correctly and can be viewed by persons not entitled to view the data.

Breach management is concerned with detecting, reporting and containing incidents

with the intention of implementing further controls to prevent the recurrence of the
event.

REPORTING MECHANISMS FOR HPSET

SOLVO C.Level will: -

1
  Put measures in place to ensure that awareness of data protection will enable
breaches to be reported.
 Issue guidance on how to report data breaches.
 Ensure that its contemporaneous logs of incidents are kept.
 Recommendations and lessons learnt from any data breach to be shared to
prevent reoccurrence.

Process for Data breaches

Diagram below shows the flow of actions involved in a data breach
review

LEARN

Reporting

2.4.1 The objective of any breach investigation is to identify what actions the
organisation needs to take to first prevent a recurrence of the incident and second to
determine whether the incident needs to be reported to the Information.
Commissioner’s Office.

Lessons Learned

Key to preventing further incidents is ensuring the organisation learns from an

incident.

OUTLINE PROCEDURE FOR INCIDENT HANDLING

On identification of a breach of the personal data, a review will be undertaken. The

individual must be notifying of the breach as soon as identified and of the outcome of
the review any actions put into place to prevent a future occurrence or mitigation of
the risk.

2
Any data breaches need to be logged and reported immediately to the CEO and the
SOLVO CISO for action to be taken within 72 hours of the report.

Data Protection Breach Reporting Form

The aim of this document is to ensure that in the event of a data loss, all information
can be gathered to understand the impact of the incident and what must be done to
reduce any risk.

1. Summary of Incident

Date and Time of Incident

Number of people whose

data is affected

Nature of breach – actual

data lost or corrupted

Description of how breach

occurred

Date and time breach

reported

What immediate remedial

action was taken - Has the
data been retrieved or
deleted? If yes - date and
time:

3
Feedback, Lessons Learnt and recommendations

Date / Signature of
person(s) completing
review and follow -up.