DATA BREACH POLICY & PROCEDURES

1. Policy Statement

Top Outsourcing Partners (TOP, "we", "our", or "the Company") are committed to our obligations under the regulatory system and in accordance with the GDPR. We maintain a structured program for compliance and monitoring, conduct frequent risk assessments, and ensure that personal data is protected through defined measures and controls. This policy outlines our strategy for handling data breaches.

2. Purpose

This policy defines our objectives and procedures for managing personal data breaches. It ensures staff understand their responsibilities, the steps for reporting, investigating, and notifying breaches, and aligns our practices with GDPR and regulatory requirements.

3. Scope

This policy applies to all employees, contractors, agents, interns, and third parties engaged with TOP in any location. Adherence is mandatory, and violations may lead to disciplinary actions.

4. Data Security & Breach Requirements

A personal data breach is any incident that leads to unauthorized destruction, loss, alteration, or disclosure of personal data. Our measures include:

• Pseudonymization and encryption
• Access controls and biometric security
• Regular audits, disaster recovery, and resilience plans
• Mandatory training and knowledge assessments
• Secure review of data transfers and disposals

4.1 Objectives

• Ensure compliance with GDPR and UK Data Protection laws
• Maintain effective breach prevention and response procedures
• Notify authorities and individuals when required
• Maintain breach logs for analysis and prevention
• Protect the privacy and identity of data subjects

5. Data Breach Procedures & Guidelines

TOP implements strong breach prevention controls and has structured processes to handle breaches promptly and effectively.

5.1 Breach Monitoring & Reporting

All breaches are reported immediately to the Data Protection Officer or the designated compliance entity (e.g., RCM Group Consulting). Each incident is recorded and investigated, even if no formal notification is required.

5.2 Breach Incident Procedures

Upon identification, breaches must be reported without delay. Containment actions are initiated immediately. Each incident is documented using our Breach Incident Form and reviewed by the compliance team.

5.3 Breach Risk Assessment

5.3.1 Human Error

• Root cause analysis conducted
• Employee retraining or disciplinary action
• Procedure revision to prevent recurrence

5.3.2 System Error

• IT and compliance team investigate root cause
• Actions may include:
• Recovering lost data
• Shutting down systems
• Resetting passwords
• Using backups for restoration

5.3.3 Risk Investigation & Documentation

The lead investigator documents:

• Type and sensitivity of data
• What protections existed (e.g., encryption)
• Final data location and access status
• Broader implications and resolutions

6. Breach Notifications

TOP complies with legal reporting timelines and ensures communication with regulatory bodies and affected individuals where appropriate.

6.1 Supervisory Authority Notification

• If required, TOP notifies the Supervisory Authority within 72 hours, including:
• Breach description
• Number and category of affected data subjects and records
• Contact details for the DPO
• Consequences and mitigation actions

6.2 Data Subject Notification

• When high risk to individuals exists, data subjects are notified promptly. Includes:
• Nature of breach
• Contact details
• Consequences and mitigation actions
• Exceptions: If data is encrypted or risk is mitigated, notice may not be required. Public communication may be used if direct notice is impractical.

7. Record Keeping

All breach records are retained for 6 years. Monthly reviews identify trends and prevent future incidents.

8. Responsibilities

• All staff receive training and support
• Designated compliance entities (e.g., RCM Group Consulting) conduct audits
• Processes include feedback and continuous improvement