Incident management policy

At Pet Watch, data protection and our stakeholders’ privacy are of utmost importance and thus, through transparency and thought-out processes, we are committed to maintaining and securing all data as laid out by our comprehensive Data Protection Policy. However, in the unlikely event that there is a Data Breach, the following policy outlines the procedures and responsibilities for addressing and mitigating data security incidents in compliance with the Dubai International Financial Centre (hereinafter referred to as the “DIFC”) Law No. 5 of 2020 (hereinafter referred to as the “Data Protection Law”). This policy applies to all employees, contractors, and third-party partners who handle personal data within Pet Watch.

This Incident Management Policy should be read along with our Internal Data Protection Policy, Terms & Conditions, Privacy Policy and other policies provided to Users on the Platform to get a well-rounded and comprehensive understanding of how we work, and to ensure your compliance with all policies and requirements. 

Also, please refer to our Data Protection Policy for the definition of any capitalized terms, which are not defined in this Policy.

1. DATA BREACH

1.1. A data breach refers to a security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed (hereinafter referred to as “Data Breach” or “Incident”).

1.2. Data breaches can result from various incidents, including cyberattacks, hacking, insider threats, accidental data exposure, or physical theft of devices or documents.  

1.3. Data breaches can involve a wide range of data types, including personal information (e.g., names, addresses, contact numbers), financial data (e.g., credit card numbers, bank account details), intellectual property, trade secrets, or any other information that, if exposed or accessed without authorization, could result in harm to individuals or organizations. 

1.4. Personal data breaches can include, but are not limited to:

        1.4.1 unauthorized third party access to systems and applications; 

        1.4.2 deliberate or accidental action (or inaction) by a data controllers or processors;

        1.4.3. sending personal data to an incorrect recipient;

        1.4.4. lost or stolen devices; or

        1.4.5. alteration of personal data without permission or necessary instructions;

2. PREVENTATIVE ACTIONS & RESPONSIBILITIES

2.1. All Pet Watch employees are trained in handling your Personal Data by practicing daily security measures and reporting any data breaches following the procedures outlined below. 

2.2. All systems, including hardware and software, will be regularly assessed for vulnerabilities. Updates or patches will be applied promptly to address identified security weaknesses, minimizing the risk of exploitation. 

2.3. Pet Watch will implement and continuously assess security measures designed to protect against data security Incidents. These measures may include but are not limited to:

2.3.1. Firewalls and intrusion detection/prevention systems to monitor and filter network traffic.

2.3.2. Encryption protocols to protect data in transit and at rest.

2.3.3. Access controls and authentication mechanisms to restrict unauthorized access to sensitive data.

2.3.4. Regular security assessments, including penetration testing and vulnerability scanning.

2.3.5. Employee training and awareness programs to promote a culture of security.

2.4. Regular training and awareness programs will be conducted to educate employees, contractors, and third-party partners about their responsibilities in identifying, reporting, and mitigating data security Incidents. This will help create a culture of vigilance and accountability.

2.5. Pet Watch is committed to maintaining open communication with all stakeholders, including affected individuals, regulators, and law enforcement agencies, as required. Regular updates will be provided on the progress of Incident resolution and any subsequent actions taken.

2.6. This Incident Management Policy will be periodically reviewed and updated to ensure alignment with changes in the DIFC Data Protection Law, industry best practices, and Pet Watch’s evolving security landscape.

3. INCIDENT MANAGEMENT PROCEDURE

3.1. Incident Reporting

 3.1.1. In case of a Data Breach, the relevant employee will report immediately the details of the Data Breach to the Data Protection Officer (hereinafter referred to as the “DPO”). Contact details can be found under the Contact Us section of this Policy.
3.1.2. Relevant details to be reported shall include
3.1.2.1. Affected Data Subjects;
3.1.2.2. Details of the Personal Data that may have been compromised;
3.1.2.3. Any Special Categories of Personal Data involved;
3.1.2.4. Time taken to discover the breach;
3.1.2.5. Security measures in place and how the breach occurred despite these measures;
3.1.2.6. Actions taken or planned to mitigate the breach; and
3.1.2.7. Additional measures implemented to secure the database. 

3.2. Incident Assessment
3.2.1. Upon receiving a Security Incident report, the DPO will assess the severity and potential impact of the Incident. This assessment will include evaluating the type of Personal Data involved, the extent of the breach, and the potential risks to individuals.

3.3. Containment &Mitigation
3.3.1. Immediate action will be taken to contain and mitigate the effects of the Incident. This may include but is not limited to isolating affected systems, disabling compromised accounts, and implementing necessary technical measures to prevent further unauthorized access.

3.4. Notification
3.4.1. Affected individuals and relevant authorities will be notified if the incident poses a risk to their rights and freedoms, in accordance with DIFC Data Protection Law.
3.4.2.Notifications will be made promptly, transparently and as soon as is permittable, providing clear and concise information about the breach, its potential impact, and the measures being taken to address it.
3.4.3. If the breach compromises a Data Subject’s confidentiality, security, or privacy, the DPO will notify the Commissioner of Data Protection and cooperate as required by DIFC Data Protection Law.
3.4.4. For breaches likely to result in a high risk to Data Subjects’ rights, the DPO will notify affected Data Subjects as soon as practicable. If direct communication is not feasible, Pet Watch will make a public announcement via the Platform.

3.5. Record Keeping
3.5.1. Detailed records of all data security incidents will be maintained, including the nature of the incident, impact, actions taken, and outcomes. These records will support regulatory compliance and internal audits.

3.6. Lessons Learned & Remediation
3.6.1. After resolving the Incident, a thorough review will be conducted to identify the root causes, vulnerabilities, and lessons learned. Based on the findings, appropriate remediation measures will be implemented to prevent similar Incidents in the future. This may include updating security protocols, enhancing employee training, and improving overall data protection measures.

2. NON-COMPLIANCE

2.1. Non-compliance with this policy by an employee may result in disciplinary actions, including retraining, suspension, or termination, depending on the severity and impact of the non-compliance.

3. CONTACT US

3.1. For any questions, concerns, or requests regarding your data and how it is handled at Pet Watch, please contact us:

Pet Watch Data Protection Officer:

Name: Ms. Monja Madan

Email Address: monja@petwatchapp.com 

Contact Number: +971 56 97 34 543