Data Breach Policy

Effective date: July 07, 2025

Introduction

This Policy and Response Plan sets out how Cloud in India manages personal data breaches swiftly and effectively.

We handle personal data belonging to employees, clients, suppliers, and other stakeholders for a range of business purposes. Cloud in India is committed to both the letter and spirit of data protection law. We place the highest importance on lawful, fair, and secure handling of personal data, while respecting the privacy, rights, and trust of all individuals we engage with.

A data breach is generally defined as the unauthorised access, retrieval, or loss of information — including corporate and/or personal data. Breaches are recognised as one of the most serious risks facing organisations, often resulting in financial loss, reputational damage, and loss of trust from clients or the public.

Across all jurisdictions where Cloud in India operates, we are legally required to take appropriate security measures to safeguard personal data and prevent unauthorised access, disclosure, or misuse.

Scope
This policy applies to all staff. You are expected to:
Be familiar with this policy.
Comply with its terms.
It supplements our existing IT, internet, and email use policies. Updates or amendments will be circulated before adoption.
Our Data Protection Officer (DPO), Edward Rowland, has overall responsibility for implementing this policy on a day-to-day basis.

Training
All staff receive training on this policy.
New employees are trained during induction.
Annual refresher training (via in-house seminars and online modules) is mandatory.
Additional training will be provided whenever laws, policies, or procedures change significantly.
Training covers relevant data protection laws and Cloud in India’s related policies. Completion is compulsory.

GDPR Compliance
The EU General Data Protection Regulation (GDPR) applies to any organisation processing personal data of EU residents, regardless of location.
Personal Data, as defined by the European Commission, includes: names, addresses, photos, emails, bank details, social media posts, medical information, or IP addresses.
Cloud in India applies the broadest definitions of both Personal Data and Sensitive Personal Data under GDPR.
Use of sensitive data is strictly controlled under this policy.
Aggregated or anonymised data is not considered personal data.
We collect personal data for business purposes including recruitment, HR, operations, supplier management, and client engagement. Examples of data collected: contact details, employment history, pay information, certificates, qualifications, marital status, and nationality.

Causes of Data Breaches
Data breaches may be caused by:
Human Error (e.g., lost devices, sending data to the wrong recipient, improper disposal, unauthorised sharing of login credentials).
Malicious Acts (e.g., hacking, phishing, theft, scams tricking staff into disclosing information).
System Errors (e.g., software bugs, cloud storage failures, authentication flaws).

Reporting Breaches
All staff must report actual or suspected breaches immediately. Reporting allows us to:
Investigate and mitigate risks.
Maintain a register of incidents.
Notify supervisory authorities where legally required.

Under GDPR:
The DPO must report notifiable breaches to the Supervisory Authority within 72 hours.
Affected individuals must also be informed where there is significant risk.
Clients must be notified without undue delay.

Data Breach Team
Our Data Breach Team (DBT) includes the DPO, CTO, and Director of Operations.
(Data Protection Officer)
📧 info@cloudinindia.com

When reporting a breach, please provide:
Extent of breach
Type/volume of data involved
Cause or suspected cause
If rectified
Steps taken to reduce risks
Whether affected individuals have been notified
If not all details are available, submit an interim report.

Data Breach Management Plan
When a breach is suspected or confirmed, the DBT will activate the following steps:
Confirm the Breach
Verify if a breach has occurred. In high-risk cases, containment may begin immediately.
Contain the Breach
Shut down compromised systems.
Recover lost data (e.g., remote wiping of devices).
Prevent further access (e.g., reset passwords, revoke permissions).
Isolate compromised systems.

Assess Risks & Impact
Evaluate scale, type of data, affected individuals, and potential harm (financial, reputational, identity theft).
Assess whether encryption or protections reduce risk.
Consider third-party involvement.
Report the Incident
Notify affected individuals promptly if sensitive data is involved.
Inform third parties (e.g., banks, police, regulators) if relevant.
Communicate clearly, simply, and provide next steps.
Evaluate & Prevent Future Breaches
Review the root cause.
Audit existing security controls.
Implement improvements in processes, training, and resources.

Monitoring & Compliance
The DPO monitors, reviews, and updates this policy regularly.
Compliance is mandatory for all staff.
Failure to comply may result in disciplinary action, up to and including dismissal.

Reporting a Data Breach
If you become aware of a breach, please contact:
📧 info@cloudinindia.com
We will respond as quickly as possible.