1 minute read
5.10 Step 10: Information security policies
Key tasks:
• Define how you will handle a personal data breach • Test your procedures • Start to notify where appropriate
The general consensus within the information security industry nowadays is not if an organisation will suffer a security breach, but when; and it may already have happened, but you just do not know about it. So, having an appropriate and tested incident management procedure is a must. The procedure in the Toolkit is a good starting point for incidents affecting not only personal data, but for a range of information security events, including denial of service attacks and ransomware. We have gone into more detail with a specific plan for the situation where someone has hacked into your systems, suggesting what should be done and in which order.
The GDPR insists that your supervisory authority be told about known breaches that represent a risk to data subjects and is specific about the timescales and the information that must be provided. We provide a notification procedure, form and register in the Toolkit which should help to speed things up if the worst does happen. And if the breach is judged to potentially result in a high risk to the data subjects, then you will need to let them know, and the Breach Notification Letter to Data Subjects is a good starting point.
Relevant Toolkit documents:
• Information Security Policy • Mobile Device Policy • Access Control Policy • Cryptographic Policy • Physical Security Policy • Anti-Malware Policy • Network Security Policy • Electronic Messaging Policy • Cloud Computing Policy • Acceptable Use Policy • HR Security Policy • Social Media Policy
Key tasks:
• Define your information security policies
