Everyone working in Resonate with privileged access to member information of any kind needs to know what to do if they hear of a possibility of breach or have a suspicion that the privacy or integrity of that information has been compromised.
Respect for member privacy is something that differentiates us from other streaming and social media platforms. It would be immensely damaging to us if a public breach were to occur. And if we were shown to have been negligent, there are huge fines. We are doing all we can to make the back end of our systems more secure and to rely less on privileged administrator access to package systems.
We are regulated by GDPR and the Data Protection Commission in Ireland, and under those regulations we must:
- know how to recognise a personal data breach.
- understand that a personal data breach isn’t only about loss or theft of personal data.
- have prepared a response plan for addressing any personal data breaches that occur.
- have allocated responsibility for managing breaches to a dedicated person or team.
- know how to escalate a security incident to the appropriate person or team in our organisation to determine whether a breach has occurred.
Our Draft Response Plan is very simple for now:
- If you recognise a breach, or potential for a breach, please report it immediately to email@example.com. Title: “Incident”. Do not include detail or personal data in the email
- When asked to provide detail please use a more secure message channel (telegram, signal, keybase). Provide a description of the nature of the personal data breach including, where possible:
– the categories and approximate number of individuals concerned; and
– the categories and approximate number of personal data records concerned
Our security team is small for now: it’s firstname.lastname@example.org , email@example.com , firstname.lastname@example.org . You can contact them at email@example.com.
We will record the risk or incident and then escalate and agree wider reporting to the impacted individuals or the relevant authorities. We will maintain a security risk register and conduct a risk assessment process.
Anyone with administrator or otherwise privileged access is expected to use long, unguessable passwords, to change them regularly and to manage them with a secure ‘vault’ tool like bitwarden, or something similar.
Extracts or downloads of user data from our wordpress platform or player data where personally identifiable information (PII) are involved must be authorised and carefully controlled, ideally encrypted.
The subjects (listeners, artists, staff, third parties… anyone identifiable) of the personal data we control have the right to:
- be informed if, how, and why their data are being processed;
- access and get a copy of their data;
- have their data corrected or supplemented if it is inaccurate or
- have their data deleted or erased;
- to limit or restrict how their data are used;
- data portability (download all their personal information and posts);
- object to processing of their data;
- not to be subject to automated decisions without human involvement, where it would significantly affect them.
Subjects have a right of access and organisations must provide transparency. The law is strict and a timely response is critical. We must therefore record and respond promptly to subject access requests. If you receive a data protection complaint or ‘subject access request’ from anyone - a member or listener:
- please report it immediately to firstname.lastname@example.org. Title: “Subject Access”. Do not include detail or personal data in the email, but
- record the name and contact details of the person making the request;
- record the time of original contact and keep a copy of relevant correspondence
- please use a secure message channel (telegram, signal, keybase) to communicate the nature of the concern or need.