Manage business risk

Questions are below case study

Case Study E - Data breach

Clients were contacted by Greenway's Financial Services when they became aware of a potential data breach that could affect up to 10,000 clients.

The managing director Tony Greenway has stated that they have contacted over 3,000 customers so far regarding potentially breached data. Although no bank account information has been stolen, it appears that it may be personal contact details that have been compromised. Such as:

Names of customers

Phone numbers

Addresses

Email addresses.

Case Study F - Example documentation

Hair by Jessie - Proprietor Jessica Mays

GDPR - Organisational policies and procedures

Dated 10th December 2020

The GDPR and the Australian Privacy Act 1988 share many common requirements, including to:

Adopt transparent information handling practices

Data must be collected and used fairly and within the law

The information held must be adequate for its purpose

The information must be up-to-date

Data must not be stored longer than needed

The information must be safe and stored away from unauthorised access.

Data must be used in line with the rights set out in the Data Protection Act

The Act gives consumers several rights:

The right to access their personal data - you may wish to implement an online log-in system so people can view their own data. If a consumer asks to see their information, called a 'subject access request', you have 40 days to show them

The right to stop their data being used for marketing such as cold calling and junk mail - you cannot use data for marketing purposes if the customer has refused. You may want to allow an opt-in or opt-out option, for example, "tick this box if you don't want to be contacted by other suppliers

The right to stop their data from being used in a way that could cause distress

The right to stop automatic decision-making with their data

The right to compensation for any damages caused by the misuse of their data.

Australian entities and the EU General Data Protection Regulation (GDPR) OAIC

(Accessed 12/03/21)

Activity 4A

This activity does not require observation. Refer to Case Study E - Data breach

1. You must research the topic of a potential data breach and determine the different options that companies could take to treat such risks. Note down findings in your workbook.

2 From your findings from Question 1, identify the most appropriate option the company should take and explain your reason for this choice.

Activity 4B

Using Activity 4A as a guide and the template below develop an action plan for the implementation of your chosen risk treatment.

Objectives (List of risks)	Tasks (What you need to do to treat risk)	Success Criteria (How you will identify your success)	Timeframe (By when you need to achieve the task)	Resources (What resources you need for each task)

Activity 4C

This activity does require observation.

This is a roleplay activity to be conducted in groups of three to four, with you playing the role of the manager and your peers playing 'relevant parties'.

As a continuation from Activity 4B, lead a discussion session to communicate the risk management processes you are working on within your action plan.

You must include:

Details of your action plan

The objective you would like to achieve

The task you are undertaking

The timeframe you are working within

The resources you may need

The reasoning behind your decisions.

Make relevant notes in your workbook to clarify the information you have shared.

Activity 4D

This activity does not require observation.

Continuing from Activity 4C, you must develop a short report explaining how your action plan complies with your organisational policies and procedures.

If possible, your assessor will provide you with example workplace documentation for data protection that is relevant to your industry.

If this is not available, you can refer to Case Study F - Example Documentation.

Activity 4E

This activity does not require observation.

Using the information from Activities 4B, 4C & 4D, outline how you will monitor and evaluate your action plan in a written guide.

You must include the following information:

The strategies you will use to determine the progress of the risk treatment

The personnel who will be involved

The resources you will use.