xcPEP Data Breach Notification Policy

xcPEP Data Breach Notification Policy

 

1. Purpose and Scope

This Data Breach Notification Policy outlines Advanced Structures India Private Limited's procedures for detecting, responding to, and notifying affected parties in the event of a Personal Data breach affecting the xcPEP service. This policy is designed to ensure timely and effective communication in compliance with applicable data protection laws.

2. Definitions

  • Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

3. Roles and Responsibilities

  • Incident Response Team (IRT): A dedicated team responsible for managing security incidents, including data breaches.
  • Information Security Officer: Oversees compliance and notification processes.
  • Legal Counsel: Advises on legal obligations and notification requirements.
  • Communications Lead: Manages internal and external communications during a breach.

4. Incident Detection and Reporting

We employ continuous monitoring systems to detect potential security incidents and data breaches.

All employees and contractors are trained to identify and report suspected security incidents immediately through defined internal channels.

5. Incident Assessment and Classification

Upon detection, the IRT will:

  • Confirm the Breach: Determine if a Personal Data breach has occurred.
  • Containment: Take immediate steps to contain the breach and prevent further unauthorized access or damage.
  • Investigation: Conduct a thorough investigation to determine the nature, scope, and impact of the breach, including the types of data involved, the number of affected individuals, and the root cause.
  • Risk Assessment: Assess the potential risk to the rights and freedoms of affected individuals.

6. Notification Procedures

  • To Customers (Data Controllers):
    • Advanced Structures India Private Limited will notify affected customers without undue delay, and where feasible, within 48 hours of becoming aware of the breach, considering the severity and applicable legal requirements.
    • The notification will include, to the extent possible, details such as:
      • The nature of the Personal Data breach.
      • The categories and approximate number of data subjects and Personal Data records concerned.
      • The name and contact details of the Data Protection Officer or other contact point.
      • A description of the likely consequences of the Personal Data breach.
      • A description of the measures taken or proposed to be taken by Advanced Structures India Private Limited to address the Personal Data breach, including, where appropriate, measures to mitigate its possible adverse effects.
    • Notifications will be sent via designated secure communication channels (e.g., email to primary contacts, updates on status page, dedicated portal).
  • To Regulatory Authorities:
    • Advanced Structures India Private Limited will notify relevant data protection authorities (e.g., GDPR supervisory authorities, Indian data protection authorities) of a Personal Data breach without undue delay, and where feasible, not later than 72 hours after becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.
  • To Data Subjects (Individuals):
    • Where legally required and deemed necessary by the customer (as the Data Controller), Advanced Structures India Private Limited will assist the customer in notifying affected data subjects directly, providing necessary information and support.

7. Post-Breach Activities

  • Remediation: Implement corrective actions to address the root cause of the breach and prevent recurrence.
  • Learning: Conduct a post-incident review to identify lessons learned and improve security controls and incident response processes.
  • Documentation: Maintain comprehensive records of all breaches, investigations, and notifications.

8. Policy Review and Updates

This policy is reviewed annually and updated as necessary to reflect changes in legal requirements, best practices, and our internal procedures.