Last updated: 24/05/2018

1. INTRODUCTION

Wordbank Marketing Ltd (“the Company”) has a range of measures in place to protect the personal data that we hold. Despite our best endeavours, it is possible that a situation will occur where our data protection measures are breached. The purpose of this document is to set out the approach that the Company will take should this situation arise.

Our Data Breach and Notification Procedure is one element of how we fulfil our obligations under the General Data Protection Regulation 2016 (“GDPR”).

The following policies and procedures also support the Company with ensuring GDPR compliance:

• Privacy Statement
• Record Retention and Protection Policy
• Data Subject Access Request Procedure

2. GENERAL PRINCIPLES

The Company has some clear requirements when it comes to reporting serious incidents which relate to personal data and which may impact the rights and freedoms of data subjects. These are:

• We must report any serious breach to the Information Commissioner’s Office (ICO) as soon as possible, but within 72 hours of the Company becoming aware of the issue
• Where a breach occurs, we must inform data subjects without undue delay

3. THE REQUIREMENT TO REPORT THE BREACH

It is important to note that the requirement to report a breach either to the ICO or to the data subject depends on the severity of the breach. The breach only needs to be reported if it represents a risk to the rights of the data subject. The Company will assess any breach which occurs and will decide on the relevant reporting requirements based on the level of risk we believe exists.

The following information will be taken into consideration when assessing the breach:

• Whether the personal data was encrypted
• If encrypted, the strength of the encryption used
• To what extent the data was pseudonymised (i.e. whether living individuals can reasonably be identified from the data)
• The data items included, e.g. name, address, bank details, biometrics
• The volume of data involved
• The number of data subjects affected
• The nature of the breach, e.g. theft, accidental destruction
• Any other factors that are deemed to be relevant

The risk assessment will be undertaken by the Managing Director and the reasons for the decision need to be clearly documented.

Even if a data breach is not deemed to have been significant enough to warrant reporting to either the ICO or the data subject, it will be recorded in our Data Breach Register.

4. NOTIFYING THE ICO

Where it is deemed that a breach needs to be reported to the ICO, then it is the responsibility of the Managing Director to complete this activity. The Managing Director is aware of this requirement and knows the process that needs to be followed.

5. NOTIFYING DATA SUBJECTS

Where it is deemed that a breach needs to be reported to data subjects, then it is the responsibility of the Managing Director to complete this activity. The Director is aware of this requirement and knows the process that needs to be followed.

Data subjects will be informed of:

• The nature of the breach
• Whether the breach has been reported to the ICO
• What measures have been taken to mitigate the risk to data subjects
• What actions, if any, will be taken to minimize the risk of a similar breach occurring in the future.

6. CONCERNS AND QUESTIONS

GDPR is new legislation and its interpretation will evolve over time. The Company will continue to adopt best endeavours to ensure ongoing compliance. However, if you have concerns about any of the actions that are being taken, or are unclear as to how the Company is complying with specific elements of the legislation, please raise your concerns with the COO via data_support@wordbank.com. We will then investigate the matter and respond to you within 28 days.