1. PURPOSE

The IT Security Information Breach Notification Policy defines the minimum requirements and responsibilities for reporting security incidents to minimize the negative impact on the confidentiality, integrity, and availability of BrainPayroll Information and systems.

2. SCOPE

This policy applies to all BrainPayroll employees and all third parties responsible for the processing of personal data on behalf of BrainPayroll services/entities. The content of this policy also applies to our processors and sub processors globally.

3. POLICY STATEMENT

This Policy requires all individuals with access to BrainPayroll Resources and Information to immediately report any suspected or actual security incidents to securityincidents@brainpayroll.co.uk

In addition, the Policy requires maintenance of a process to help identify and act on security incidents quickly and effectively, including:

• Handling of such incidents by authorized personnel to allow for proper and complete investigation.
• Cooperation with those charged with investigating security incidents to help identify required actions.
• Documentation of security incidents for record keeping.
• Availability of records for internal and external reviews.
• Handling of such incidents by authorized personnel to allow for proper and complete investigation.
• An assessment on the impact of security incidents to help identify and take measures that will prevent recurrence or mitigate harm
• Timely notice and communication as required to external bodies and affected individuals.
• Compliance with any state, federal or international laws governing security incident and data breach events.
• Expeditious handling of security incidents to facilitate the restoring of normal operations.
• Review of security incidents for any patterns and areas of risk to help improve incident handling policies and procedures.
• Periodic testing of the information security handling process to measure efficacy; and
• Delivery of awareness and training on security incident reporting and handling periodically to maintain, enhance, or reinforce understanding of these measures.

4. Breach of GDPR

• Within twenty-four (24) hours of the discovery of a GDPR Breach, the DPO, after consultation with the Office of General Counsel, will determine whether reporting to supervisory authorities and/or data subjects is required by law or is otherwise prudent.
• A determination from the DPO that notification is required and the authorization from an authorized member of management will initiate the external notification procedure. Notification to EU data protection authorities is required unless a determination is made that the Breach is unlikely to result in a risk to data subjects. If the Breach is likely to result in a High Risk to data subjects, notification to data subjects is also required.
• The DPO, after consultation with the Office of General Counsel, will determine the appropriate authorities to notify. Notification to authorities must: (i) describe the nature of the Breach including, where possible, the categories and approximate number of data subjects concerned and the categories and the approximate number of Personal Information records concerned; (ii) communicate the name and contact details of the DPO or other contact point where more information can be obtained; (iii) describe the likely consequences of the Breach; and (iv) describe the measures taken or proposed to be taken by BrainPayroll to address the Breach, including, where appropriate, measures to mitigate its possible adverse effects.
• External reporting to the EU GDPR supervisory authorities must be conducted within seventy-two (72) hours of discovery of the security incident, wherever feasible. If any delay in reporting is necessary, the reasons for this delay must be documented. In all cases, external reporting must be conducted within thirty (30) days
• he business process owner of the compromised system/files will compile the list of the specific individuals whose GDPR Data is reasonably believed to have been accessed and/or acquired by an unauthorized person. When specific individuals cannot be identified, all individuals who are likely to have been affected, such as all whose GDPR Data is stored in the files involved, should be notified. The process for determining inclusion in the notification group must be documented.
• The DPO, after consulting with the Office of General Counsel, will determine the plan for notifying individuals affected by the Breach consistent with the following guidelines:
• The method of notification -
  • In general, notices should be sent by postal mail or, preferably, email. BrainPayroll’s standard Breach notice will consist of an email message featuring the official BrainPayroll logo, addressed to the individual at the last recorded email address registered with BrainPayroll. Any notices returned as undeliverable should be re-sent via another channel, such as by first class mail, if alternate contact information is available.
• The content of the notice –
  • The notice should include a description of the incident in general terms.
  • The notice should include a description of the type of GDPR Data that was the subject of the Breach.
  • The notice should include a description of the general acts of BrainPayroll to protect the information from further unauthorized access and/or acquisition.
  • The notice should include a telephone number that the individual may call for further information and assistance; and
  • The notice should include advice that directs the individual to remain vigilant by reviewing account statements and monitoring free credit reports, where applicable to the nature of the Breach.
• The timing of notification –
  • Affected individuals must be notified as expeditiously as possible, and without unreasonable delay, consistent with any measures necessary to determine the scope of the Breach and to restore the reasonable integrity of the data system.
  • Delay is permitted when a law enforcement agency has determined that notification will impede a criminal investigation. In such a case, notification must occur as soon as the law enforcement agency determines that notification will no longer compromise the investigation. The factors considered when determining the timing of notification must be documented.