Maxed Up Media Data Breach Policy

Purpose

The purpose of this policy is to provide guidelines for imposing proper and adequate measures to protect the confidentiality, integrity, and security of personal data that identifies a living individual. The guidelines outlined in this policy shall advance Maxed Up Medias’ compliance with UK legislation, the General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA).

Scope

The guidelines and procedures outlined in this policy shall apply to all Maxed Up Media entities and employees, as they collect, maintain, access, process, protect, store, use, or otherwise handle individual’s personal data.

Policy Statement

Maxed Up Media maintains this information security plan to protect the confidentiality, integrity, and security of all personal data. Under its Personal Data Breach Policy, Maxed Up Media entities and employees shall notify affected individuals, of a personal data breach as required to adhere to applicable laws and regulations and to protect consumer interests.

Definitions

“Personal Data” meansthe non-public information of a living individual, including, but not limited to: 

  • Full name;
  • E-mail address;
  • Mailing address; 
  • Daytime and/or mobile telephone number;
  • Credit and/or debit card information;
  • Income and credit history;
  • Bank account number;
  • Any code or number which allows access to or use of an individual’s financial or credit account; and
  • Any information that can be used to identify or locate an individual or entity. Such information may be in either paper or electronic records.

Policy

Specific safeguards shall be implemented in order to handle or maintain personal data.  

  1. Maxed Up Media shall not share an individual’s personal data with others without the consumer’s prior express written consent. Notwithstanding the foregoing, Maxed Up Media may provide such information to select third-parties
    1. Maxed Up Media may outsource the day to day management of some technical aspects of its operations to certain entities (processors). These entities may have access to consumer data. Any outsourcing agreement will require
    2. administrative vendors, but only if done for efficiency purposes in providing administrative or program management services in connection with the identified party’s participation in Maxed Up Media’s network, for reasons including, but not limited to, billing, delivery, and payouts, and only if the third-party has agreed to protect the confidentiality of information provided by Maxed Up Media, or
    3. where required by law, warrant, legal process, or requested by a court of law. 
  2. When personal data is submitted to Maxed Up Media, such information shall be protected both online and offline, by encrypting the personal data and protecting it with SSL encryption software. This also applies to any data to be passed to third parties.
  3. Servers which store personal data shall be kept in a secure physical environment. Access to the personal data shall be strictly limited, and not accessible by the public. Only certain Maxed Up Media employees or the technical support provided by an outsource company, who need personal data to perform a specific task or job, shall be granted access to such information. Maxed Up Media employees who do not adhere to the company’s policies shall be subject to disciplinary action.
  4. All Maxed Up Media employees shall be required to receive regular training regarding steps which need to be taken to maintain the security, confidentiality, and integrity of personal data. All steps will always be complied with.
  5. Only Maxed Up Media employees who must view the data to perform their assigned tasks will have access to personal data.  Employees who do not require access to the personal data will not be granted such access. All employees, regardless of their need to access personal data, will be given mandatory data breach training.

If There Is An Incident Leading To A Personal Data Breach

  1. All Maxed Up Media employees shall be required to immediately notify their supervisor(s) of any actual or suspected personal data breach. If employees are uncertain whether there has been a personal data breach, they shall report the incident to their supervisor(s). In each event, this must pass to the Data Protection Officer.
  2. If an actual or suspected data breach has occurred, the relevant supervisor shall upon notice of the actual or suspected data breach immediately report the event the Data Protection Office and Director, where all activity that may have led to the Breach will be suspended.
  3. A full investigation into the incident will take place by the Data Protection Officer, to ascertain the nature of the personal data breach and how it happened, with the assistance of all relevant employees. This will then be reported back to the Director. On receipt of this, steps will be taken to mitigate against any further risks, along with an audit on all systems and processes.
  4. Maxed Up Media shall maintain a log of each actual and suspected data breach. This log shall be maintained and kept in accordance with the Document Retention Policy by the a.) Information Technology and Legal/Compliance Department of Maxed Up Media and/or any applicable entities to which Maxed Up Media has outsourced these functions and b.) the Director of Maxed Up Media. The log shall contain the following information:
    • The facts surrounding the suspected breach;
    • A determination of whether a breach has in fact occurred;
    • The effects of the breach; and
    • Remedial action.
  5. If an actual personal data breach occurs, the Director of Maxed Up Media shall notify the Information Commissioner’s Office (“ICO”) within 72 hours and the Financial Conduct Authority (“FCA”) within 24 hours of becoming aware of the incident. This is unless the breech is likely to result in a high risk of adversely affecting the ‘rights and freedoms’ of customers, in which case they must be informed immediately .Any Affiliates or Buyers that may be affected will be notified at the same time. The notification to the ICO must include at least:
    • A contact person for the ICO and/or FCA to reach about the incident with contact details for that person, including e-mail and telephone numbers
    • The date and time of the incident (or an estimate of the actual date and time if it is unknown)
    • The date and time of when Maxed Up Media detected the incident
    • Basic information about the type of breach
    • Basic information about the personal data collected
    • If available, the number or an estimate of the number of records and the number of individuals that are affected by the incident that led to the breach
    • Measures taken to mitigate the breach; and
    • Information about planned or actual notification to customers
  6. If an actual data breach occurs, Maxed Up Media shall notify its consumers by-email of the breach as immediately as is possible. The notification to consumers will contain the following information:
    • A contact person for the consumer to reach, including an e-mail address;
    • The date and time of the incident (or an estimate thereof if the actual time and date is unknown);
    • A summary of the incident surrounding the breach;
    • The nature and content of the personal data that was involved;
    • The likely effect on the individual;
    • Any appropriate measures taken to address the breach; and
    • How the consumer can mitigate any further effects of the breach.
  7. If an employee of Maxed Up Media deliberately performs a personal data breach or does not inform their supervisor of an incident, this will result in instant disciplinary action up to and including dismissal. Their details may be passed to the Information Commissioners Office (ICO) on certain circumstances, for example a theft of personal data from Maxed Up Media. This is a criminal offence under section 170 of the DPA which will lead to potential prosecution by the ICO.

PLEASE NOTE

Maxx will continually monitor its network of Affiliates for suspected breaches of the rules governing financial promotions. Upon discovering or receiving a report of any breach or suspected breach, Maxx takes immediate action. Maxx will investigates all suspected breaches and either directs Affiliates to address the issues immediately or bans Affiliates from its network permanently.  

This guidance is not intended to serve as a substitute for legal compliance and there may be additional laws and regulations regarding consumer finance lead generation activities that are not covered. We recommend that you consult with your own legal advisor. Affiliates are responsible for their own compliance with all applicable laws and regulations Full range of our polices is available here