Data Breach Incident Response Plan

In the event of any BSD staff member becoming aware of a personal data breach, the procedure to be followed is:

1. The person who discovers the breach will immediately inform the Director of Software Development and the CTO.
2. As soon as possible, the Director of Software Development or CTO will assign necessary staff to investigate the cause and scope of the breach and to implement other remedial actions.
3. With the highest priority, the assigned staff will proceed to:

• Determine the scope of the breach - which users were affected; which data was breached and to whom; whether the breach is ongoing or stopped
• Take urgent action to stop an ongoing breach
• Determine the cause of the breach and begin remedial action
• Determine whether the breach is likely to result in a risk to the rights and freedoms of the data subjects
• Determine the international locations of the affected users, specifically which of the affected users are within the EU
• Prepare a report for senior management

4. The Director of Software Development will send the data breach report to senior management including the CEO, COO and CTO and arrange a meeting to agree upon next steps.
5. After the meeting and within 72 hours of the breach being initially reported, if such action is agreed upon, the company will report the breach which may include:

• a public statement posted on our website
• an email sent to all affected users
• an on-platform notification to all affected users
• a report of the breach to the ICO via their website