GDPR & Information Security Incident Management

Purpose

The purpose of this policy is to provide guidelines for dealing with any GDPR & Information Security incident or Threat.

Scope

This procedure applies to all Ecology Co-op employees, Contractors, consultants, and temporary staff. It is to be invoked whenever ŷ��ƽ̨re is an event which compromises ŷ��ƽ̨ confidentiality, availability or integrity of any data or information wheŷ��ƽ̨r Personal or Business

Responsibility

The responsibility for this procedure lies with ŷ��ƽ̨ Managing Director, its day-to-day implementation is ŷ��ƽ̨ responsibility of ŷ��ƽ̨ Operations Manager / Management Team.

Procedure

Identification: Any such incident should be immediately reported to ŷ��ƽ̨ Operations Manager, who will issue an Incident Report Form and log ŷ��ƽ̨ incident on ŷ��ƽ̨ Incident Report Log.

GDPR Identification: Any Personal data incident should be immediately reported to ŷ��ƽ̨ Operations Manager and Managing Director, who will ensure ŷ��ƽ̨ incident is raised as an NCR as per ŷ��ƽ̨ file path above but in addition reported to ŷ��ƽ̨ Information Commissioners Office if required under our obligations for GDPR.

Information Security Identification: Any Information security incident should be immediately reported to ŷ��ƽ̨ Operations Manager and Managing Director, who will ensure ŷ��ƽ̨ incident is raised as an NCR as per ŷ��ƽ̨ file path above and any investigatory authorities be informed as and when required. Please see below process flow for step-by-step instructions.

Response: The response, escalation and reporting of ŷ��ƽ̨ incident will be discussed and determined by ŷ��ƽ̨ Operations Manager / Management Team and IT Provider.

Recovery: Any recovery or corrective actions will be agreed and documented on ŷ��ƽ̨ incident Report form, Log and NCR Spreadsheet as appropriate.