You’re the Boss Personal Data Breach Policy

This policy outlines our commitment to you in terms of the reporting of a data breach.  We will comply with the guidelines laid out in the General Data Protection Regulations (GDPR) at all times.

What is a personal data breach?

A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.

In what circumstance will a report be made?

Your the Boss will report any personal data breach to the Information Commissioners Office (ICO) where it is likely to result in a risk to the rights and freedoms of individuals.

If unaddressed such a breach is likely to have a significant detrimental effect on individuals – for example, result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.

This has to be assessed on a case by case basis.

When do individuals have to be notified?

In addition to reporting the Data Breach to the ICO if any breach has a likelihood of a high risk to people’s rights and freedoms, Your the Boss will also report the breach to the individuals who have been affected. High risk situations include the potential of people suffering significant detrimental effect – for example, discrimination, damage to reputation, financial loss, or any other significant economic or social disadvantage.

When will a report be made?

Your the Boss will report any personal data breach that affects people’s rights and freedoms, without undue delay and, where feasible, not later than 72 hours after having become aware of it.

If the breach is sufficiently serious to warrant notification to the public, the organisation responsible must do so without undue delay.

How can a report be made?

Your the Boss will use either the telephone reporting service or web reporting form provided by the ICO.

What will be included in the report?

  • The nature of the personal data breach including, where possible:
    • the categories and approximate number of individuals concerned; and
    • the categories and approximate number of personal data records concerned;
  • The name and contact details of the data protection officer at Your the Boss or other contact point where more information can be obtained;
  • A description of the likely consequences of the personal data breach; and
  • A description of the measures taken, or proposed to be taken, to deal with the personal data breach and, where appropriate, of the measures taken to mitigate any possible adverse effects.

Where Your the Boss doesn’t have all the details available, we will provide additional information as soon as it becomes available.