1. Purpose: Explanation of How Data Breaches Are Managed

At Jedi Sales Consultants Ltd, we take data protection and privacy seriously, even though we do not hold or process customer data directly. As part of our commitment to compliance, we are registered with the Information Commissioner’s Office (ICO) at Tier 1. This policy outlines the steps we will take to manage and respond to data breaches that may occur within the scope of our advisory services or in collaboration with clients.

Our role is to assist clients in protecting their data and to ensure that we are prepared to respond to any breach of data security within our operational environment.

2.Identification: How to Identify a Data Breach

A data breach may occur when personal data is accidentally or unlawfully:

•Lost: Information is misplaced or not accessible.

•Stolen: Unauthorised access or theft of data occurs (e.g., through cyberattacks, phishing, or physical theft).

•Disclosed: Data is shared with unauthorised individuals.

•Altered: Information is modified without authorisation.

•Destroyed: Data is lost due to accidents, malicious activity, or technical failures.

Even though we do not hold personal data, breaches could occur in the context of client interactions or through our advisory role. Jedi Sales staff are trained to recognise the signs of potential breaches in systems, communications, or client data flow.

3.Reporting: How and When to Report a Data Breach

If a breach is identified or suspected, it must be reported immediately to Jedi Sales’ designated supervisor. The following steps are taken:

•Internal Reporting: Any employee who becomes aware of a potential breach should immediately notify their supervisor.

•Timeline: Data breaches should be reported within 24 hours of identification.

•Client Notification: If the breach involves client data or systems, Jedi Sales will promptly notify the client and provide recommendations on necessary actions.

While Jedi Sales does not process personal data directly, our clients rely on us to manage potential risks. We work with clients to ensure proper reporting to authorities when required under GDPR.

4.Containment and Recovery: Steps to Contain and Recover from a Breach

Once a breach is reported, the following steps are taken to contain and recover:

•Assess the Scope: The supervisor will work with relevant teams to assess the extent of the breach and determine whether it involves any personal data managed by clients.

•Containment: If the breach involves security vulnerabilities (e.g., system access, email accounts), immediate steps will be taken to prevent further exposure (e.g., resetting passwords, suspending services).

•Recovery Plan: Collaborate with clients to address the breach and mitigate further risks. If required, Jedi Sales will assist in securing compromised systems or advising on the recovery of lost data.

•Documentation: The breach and response actions will be fully documented for internal records and compliance review.

5.Notification: Criteria for Notifying Affected Individuals and Authorities

Although Jedi Sales Consultants Ltd does not handle personal data, we recognise our clients’ responsibility to notify the relevant authorities and affected individuals in the event of a breach. Under GDPR, the following criteria apply for notification:

•ICO Notification: If the breach poses a risk to individuals’ rights and freedoms, the client is responsible for notifying the ICO within 72 hours of becoming aware of the breach. Jedi Sales will support the client by providing any necessary details about the breach and steps taken.

•Individual Notification: Clients must notify affected individuals without undue delay if the breach could result in a high risk to their rights and freedoms (e.g., identity theft or financial loss).

•Internal Guidance: Jedi Sales will advise clients on when and how notifications should be made to comply with UK data protection laws.

6.Review and Evaluation: Procedures for Reviewing and Evaluating the Breach

Following the containment and resolution of any breach, Jedi Sales Consultants Ltd will conduct a full review to evaluate:

•Cause: Identify the root cause of the breach to prevent future occurrences.

•Effectiveness of Response: Assess how well the breach was managed and whether response times were adequate.

•Client Feedback: Gather input from clients on the effectiveness of support provided.

•Improvements: Update internal procedures and recommend improvements to client systems or security practices where necessary.

The results of the review will be documented, and any lessons learned will be incorporated into future staff training and risk management practices.

This policy is signed by Nathan Ottaway.