Data Breach Policy - JohnRogerson.Com

1. Purpose

Camber House Ltd and Johnrogerson.com (“we”/”us”) have this procedure is in place to provide a standardised response to any reported data breach incident, and ensure that data breaches are appropriately logged and managed in accordance with the law and best practice.

2. Scope

This procedure applies in the event of a personal data breach and applies to all employees of Camber House Ltd at all times and whether located within the physical offices or not

The document applies to all information we hold and all information technology systems utilised by us.

3. Responsibility

All employees/Staff, contractors or temporary employees/staff and third parties working for or on behalf of us are required to be aware of, and to follow this procedure in the event of a personal data
All Employees/Staff, contractors or temporary personnel are responsible for reporting any personal data breach to sally de waard who’s contact details are as follows: matt@johnrogerson.com

4. Definition

The GDPR defines a “personal data breach” in Article 4(12) as: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. Examples include:

Loss or theft of data or equipment on which data isstored
Access by an unauthorised thirdparty
Sending personal data to an incorrectrecipient
Alteration of personal data withoutpermission
Loss of availability of personal data such as equipmentfailure
Unforeseen circumstances such as a fire orflood
Hackingattack
‘Blagging’ offences where information is obtained by deceit for the purposes of this procedure data security breaches include both confirmed and suspected

*If you suspect a data breach or are unsure whether the incident which has occurred constitutes a data breach please refer the matter to Matt Rogerson for consideration*

5. Reporting anincident

Any individual who accesses, uses or manages information within our business is responsible for reporting data breach and information security incidents immediately to Sally de Waard.
If the breach occurs or is discovered outside normal working hours, it must be reported as soon as is
The report will include full and accurate details of the incident, when the breach occurred (dates and times), who is reporting it, the nature of the information, and how many individuals are involved.

6. NextSteps

Matt Rogerson will firstly determine if the breach is still occurring. If so, the appropriate steps will be taken immediately to minimise the effect of the
An initial assessment will be made by Matt Rogerson in liaison with relevant persons (which may include IT services) to establish the severity of the breach and who will take the lead investigating the breach (this will depend on the nature of the breach).
An investigation will be undertaken immediately and wherever possible within 24 hours of the breach being discovered/reported.
Matt Rogerson will investigate the risks associated with the breach, for example, the potential adverse consequences for individuals, how serious or substantial those are and how likely they are to
Matt Rogerson will then establish whether there is anything that can be done to recover any losses and limit the damage the breach could
Matt Rogerson will identify who may need to be notified. The relevant procedures from those identified below will then be followed. Every incident will be assessed on a case by case basis.

7. Procedure – Breach notification data processor to datacontroller

Camber House Ltd must report any personal data breach or security incident to the data controller without undue delay.
The breach notification should be made by email or phone
A confirmation of receipt of this information should be requested and made by email or phone call.

8. Procedure – Breach notification data controller to supervisory authority

Matt Rogerson will determine if the supervisory authority (the Information Commissioner’s

Office (ICO) in the UK) need to be notified in the event of a breach.

If the breach affects individuals in different EU countries, the ICO may not be the lead supervisory authority. Matt Rogerson will also need to establish which European data protection agency would be the lead supervisory authority for the processing activities that have been subject to the
We will assess whether the personal data breach is likely to result in a risk to the rights and freedoms of the data subjects affected by the personal data breach, by conducting an investigation and/or an impact assessment. If we decide that we do not need to report the breach to the ICO we will justify and document our
If a risk to data subject(s) is likely, Matt Rogerson will report the personal data breach to the ICO without undue delay, and not later than 72 hours after becoming aware of
If the data breach notification to the ICO is not made within 72 hours, Matt Rogerson will submit notification electronically with a justification for the communication.
If it is not possible to provide all of the necessary information at the same time we will provide the information in phases without undue further
The following information needs to be provided to the supervisory authority:
- A description of the nature of the
- The categories of personal data
- Name and contact details of Matt Rogerson.
- Likely consequences of the
- Any measures taken to address the
- Any information relating to the data
- Approximate number of data subjects
- Approximate number of personal data records
The breach notification should be made via email. If they are still investigating and will be able to provide more information at a later date or if they are confident that the breach has been dealt with
In the event the ICO assigns a specific contact in relation to a breach, these details are recorded in the Internal Breach

9. Procedure – Breach notification data controller to datasubject

If the personal data breach is likely to result in high risk to the rights and freedoms of the data subject, Camber house will notify those/the data subjects affected without undue delay and in accordance with Matt Rogerson

In any event Matt Rogerson will document their decision-making process.

We will describe the breach in clear and plain language.
The data controller takes subsequent measures to ensure that any risks to the rights and freedoms of the data subjects are no longer likely to
If the breach affects a high volume of data subjects and personal data records, we will make a decision based on assessment of the amount of effort involved in notifying each data subject individually, and whether it will hinder our ability to appropriately provide the notification within the specified time frame. In such a scenario a public communication or similar measure informs those affected in an equally effective manner and will be considered by Matt Rogerson.
If we have not notified the data subject(s), and the supervisory authority considers the likelihood of a data breach will result in high risk, Camber House will communicate the data breach to the data subject by email
We will document any personal data breach(es) within the Data Breach Register, incorporating the facts relating to the personal data breach, its effects and the remedial action(s)

10. Documentation requirements

Internal breach register: there is an obligation for us to document each incident “comprising the facts relating to the personal data breach, its effects and the remedial action taken”.

11. Evaluation

Once the initial incident is contained, Matt Rogerson will carry out a full review of the causes of the breach; the effectiveness of the response(s) and whether any changes to systems, policies and procedures should be
Existing controls will be reviewed to determine their adequacy, and whether any corrective action should be taken to minimise the risk of similar incidents.
The review will consider various points, including but not limited to:

Where and how personal data is held and where and how it is stored
Where the biggest risks lie, and will identify any further potential weak points within its existing measures
Whether methods of transmission are secure; sharing minimum amount of data necessary Identifying weak points within existing security measures
Staff awareness

Cookie	Duration	Description
__cfduid	1 month	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.
__stripe_mid	1 year	This cookie is set by Stripe payment gateway. This cookie is used to enable payment on the website without storing any patment information on a server.
__stripe_sid	30 minutes	This cookie is set by Stripe payment gateway. This cookie is used to enable payment on the website without storing any patment information on a server.
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__gads	1 year 24 days	This cookie is set by Google and stored under the name dounleclick.com. This cookie is used to track how many times users see a particular advert which helps in measuring the success of the campaign and calculate the revenue generated by the campaign. These cookies can only be read from the domain that it is set on so it will not track any data while browsing through another sites.
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
tk_lr	1 year	This cookie is set by JetPack plugin on sites using WooCommerce. This is a referral cookie used for analyzing referrer behavior for Jetpack
tk_or	5 years	This cookie is set by JetPack plugin on sites using WooCommerce. This is a referral cookie used for analyzing referrer behavior for Jetpack
tk_r3d	3 days	The cookie is installed by JetPack. Used for the internal metrics fo user activities to improve user experience

Cookie	Duration	Description
CMID	1 year	The cookie is set by CasaleMedia. The cookie is used to collect information about the usage behavior for targeted advertising.
CMPRO	3 months	This cookie is set by Casalemedia and is used for targeted advertisement purposes.
CMPS	3 months	This cookie is set by Casalemedia and is used for targeted advertisement purposes.
CMRUM3	1 year	This cookie is set by Casalemedia and is used for targeted advertisement purposes.
CMST	1 day	The cookie is set by CasaleMedia. The cookie is used to collect information about the usage behavior for targeted advertising.
DSID	1 hour	This cookie is setup by doubleclick.net. This cookie is used by Google to make advertising more engaging to users and are stored under doubleclick.net. It contains an encrypted unique ID.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
NID	6 months	This cookie is used to a profile based on user's interest and display personalized ads to the users.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
uuid2	3 months	This cookies is set by AppNexus. The cookies stores information that helps in distinguishing between devices and browsers. This information us used to select advertisements served by the platform and assess the performance of the advertisement and attribute payment for those advertisements.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.

Cookie	Duration	Description
_gat_gtag_UA_90460908_1	1 minute	No description
anj	3 months	No description
CONSENT	16 years 9 months 5 days 10 hours 4 minutes	No description
cookies.js	session	No description
m	2 years	No description