Introduction
A data breach, if not handled appropriately and in a timely manner, could lead to physical, material, or non-material harm to individuals, as well as financial loss or reputational damage for the organization. When we collect, use, and retain personal data, we must take the necessary measures to protect this data and use it in a lawful manner.

Purpose and Scope
The General Data Protection Regulation (GDPR) requires our organization to have an appropriate data security framework. This policy is a crucial part of that framework and outlines the procedure to ensure a consistent and effective response to a breach incident. The policy applies to all employees, external partners, and stakeholders who may have access to or are responsible for the collection and processing of personal data.

Definition
A data breach is defined as a security breach that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data that is transmitted, stored, or otherwise processed.

Incident Reporting
Immediately report any discovery of a breach incident to your supervisor. Senior management will ensure they remain accessible for emergencies, including outside regular business hours. Anyone reporting an incident is encouraged to record as many details as possible. Note that failure to report an incident could potentially result in disciplinary actions or even fines and penalties for the organization.

Containment and Recovery
The first responder to the incident will determine whether it is ongoing and, if so, the steps needed to minimize its impact. An initial assessment will then be conducted to determine the severity of the breach. This includes identifying possible actions to contain damages or recover losses, determining who needs to be informed about the initial containment, whether authorities need to be involved, and the appropriate course of action to follow.

Investigation and Risk Assessment
The breach management process will establish, at a minimum, the lead investigator, the timeline for the investigation, the evaluation and mitigation of risks, the individuals affected, the impact on them, and what they can do to minimize this impact.

Notification
It may not always be necessary to notify the supervisory authority about a breach incident. If notification is required, it must be done within 72 hours of discovering the breach unless it is impossible to do so within this timeframe and an explanation is provided. Note that authorities may prevent us from notifying individuals whose personal data may be affected. When it is necessary to inform individuals, we will do so promptly and in clear and simple language. We will also assess whether it is necessary to inform other stakeholders, such as insurers, banks, credit card agents, or unions. A record of every incident or breach will be kept, regardless of whether notification is required.

Evaluation and Response
Every incident requires a complete review of its causes, the effectiveness of the response, and the impact on existing systems or processes. Existing controls will be re-evaluated to determine whether corrective actions are needed. We will identify if training and awareness about incident identification and response are required. Consequently, regular training exercises within the information environment should be encouraged.