This document is a description for how Telavox will take action in case of a personal data breach.
Personal data breach means, as defined in GDPR, a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Breach Response Plan
In case of a breach, the breach response plan consists of the following actions:
- Risk assessment
- Limiting breach damage
- Restore data
- Notify user/controlling authority
- Prevent recurring problems with root cause analysis
The risk assessment will define the possible impact of the breach in order to define escalation level. The following aspects will betaken into account:
- Type of personal data that has been breached
- Breach of sensitive personal data (as defined in GDPR)
- Number of users affected by the breach
- Breach type
- Impact on physical persons’ rights
Depending on the outcome from the aspects above, the breach is classified into four (4) different categories:
- White: No personal data has been breached. Escalation: No action taken
- Yellow: A limited amount of personal data has been breached and/or the personal data is not sensitive and/or the breach has a limited impact on the service. Escalation: Low risk of impact on a physical persons’ rights, Specialist level involvement
- Orange: An amount of personal data concerning several users have been breached and/or the personal data is not sensitive and/or the breach have a medium impact on connected services. Escalation: Medium risk of impact on a physical persons’ rights, management level involvement
- Red: A large amount of personal data have been breached and/or the personal data is sensitive and/or the breach have a high impact on connected services. Escalation: High risk of impact on a physical persons’ rights, C-level involvement.
Limiting Breach Damage
After identifying the breach risk category, appropriate measures are carried out in order to limit the breach damage which can include, but is not limited to, one or several of the following actions:
- Revoking system access
- Resetting passwords
- Forcing system authentication
- Isolate affected systems
- Isolating access to affected hardware
Telavox continually backup data for restoration should a technical failure and/or breach occur. We secure data in transit and at rest
using modern encryption methods.
Notify user/controlling authority
The controlling authority will always be notified in case of a breach, except if the incident is classified as “White”. The user shall be notified if the breach is classified as “Red”. The following information will, if possible, be included:
- A description of the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned
- The name and contact details of the data protection officer or other contact point where more information can be obtained
- Description of likely consequences of the personal data breach
- Description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Telavox will notify the controlling authority and/or the user as soon as possible, but at the latest 72 hours from when the breach was discovered.
Prevent recurring problems with root cause analysis
After necessary actions have been taken in order to limit the breach, restoring the personal data and notifying concerned parties, a thorough
investigation is made regarding what actions should be taken to prevent similar breach to occur again. The output from this investigation may result in updated policies, enhanced security and/or new processes.