Data Breach Policy
LA Productions Data Breach Policy
If you become aware of a breach of the Data Protection Act, the GDPR or its obligations under a client/employee contract, you must inform the Data Protection Manager immediately who will report the incident immediately to the Managing Director. A Security Incident Report should be completed and passed to the Managing Director.
A data breach will include, but not be limited to:
- Any loss, destruction or inappropriate transmission of personal data.
- This will relate to LA Productions clients and employees.
The Data Protection Manager is responsible for any investigation, escalation and resolution measures deemed necessary as the result of an incident and will maintain a log of all security incidents.
When a security incident is reported, a decision will have to be made to whether an investigation into the incident will be carried out and who will be tasked to carry out the investigation.
Where a follow-up action against a person or organisation after an information security incident involves legal action (either civil or criminal) evidence should be collected, retained, and presented to conform to the rules for evidence laid down in the relevant jurisdiction(s).
The Data Protection Manager will advise on the appropriate course of action and any further actions to be taken. Security investigations must address the following:
- What happened and its impact?
- Root cause analysis of why it happened and how?
- What needs to be done immediately to prevent further damage and facilitate initial recovery?
- What needs to be done in the longer term to prevent a further occurrence?
- Identify if any person is culpable and whether disciplinary action is necessary.
For all investigations, a record must be maintained throughout the conduct of the investigation and the resolution of the breach. Investigation records must include:
- Nature of the breach.
- When, how and who discovered the breach?
- To whom and when was the breach escalated?
- Details of actions taken, when, and by whom, together with results.
- Details of any emergency measures implemented to contain the exposure.
- Details of agreed permanent solution.
- Impact assessment.
A decision on the need to inform the client and the ICO will be taken by the Data Protection Manager. Under GDPR, both the client and the ICO must be informed of any personal data breach within 72 hours of LA Productions becoming aware of it.