This document is a description for how Telavox will take action in case of a personal data breach.
Personal data breach means, as defined in GDPR, a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Breach Response Plan
In case of a breach, the breach response plan consists of the following actions:
- Risk assessment
- Limiting breach damage
- Restore data
- Notify user/controlling authority
- Prevent recurring problems with root cause analysis
Risk Assessment
The risk assessment will define the possible impact of the breach in order to define escalation level. The following aspects will betaken into account:
- Type of personal data that has been breached
- Breach of sensitive personal data (as defined in GDPR)
- Number of users affected by the breach
- Breach type
- Impact on physical persons’ rights
Depending on the outcome from the aspects above, the breach is classified into four (4) different categories:
- White: No personal data has been breached. Escalation: No action taken
- Yellow: A limited amount of personal data has been breached and/or the personal data is not sensitive and/or the breach has a limited impact on the service. Escalation: Low risk of impact on a physical persons’ rights, Specialist level involvement
- Orange: An amount of personal data concerning several users have been breached and/or the personal data is not sensitive and/or the breach have a medium impact on connected services. Escalation: Medium risk of impact on a physical persons’ rights, management level involvement
- Red: A large amount of personal data have been breached and/or the personal data is sensitive and/or the breach have a high impact on connected services. Escalation: High risk of impact on a physical persons’ rights, C-level involvement.