Data Protection Committee

Menu

Policy

Social Media Risk Management Policy

Policy Statement

It is the policy Raquel Pawnshop Inc. to establish and implement guidelines for responsible and secure use of social media platforms by employees of Raquel Pawnshop to mitigate risks associated with online interactions and protect the reputation of the company.

Applies to all employees, contractors, and affiliates of Raquel Pawnshop who utilize social media platforms for professional or personal purposes related to the pawnshop’s business.

  1. Basic Definition of terms

         Social media refers to online platforms and technologies that enable users to create, share, and exchange information, ideas, and content in           virtual communities and networks.

Social media platform refers to Facebook, Twitter, Instagram, LinkedIn, Snapchat, YouTube, and Tik Tok.

  1. Only authorized employees designated by Raquel Pawnshop are permitted to represent the company on social media platforms. Authorized users must undergo training on social media usage guidelines and best practices.
  2. When representing Raquel Pawnshop on social media, employees must maintain professionalism and adhere to the company’s values and policies.
  3. Employees should avoid sharing confidential or proprietary information about the pawnshop, its clients, or business operations on social media platforms.
  4. Employees should exercise caution when sharing personal information online and ensure that privacy settings are appropriately configured.
  5. Social media accounts used for business purposes should be protected with strong passwords and two-factor authentication.
  6. Any suspicious activity or security breaches must be reported to the data protection committee or to the DPO immediately.
  7. Raquel Pawnshop reserves the right to monitor employee activity on social media platforms to ensure compliance with this policy.
  8. Employees are encouraged to report any potential social media risks or incident to the designated point of contact
  9. Employees are prohibited from engaging in any activities on social media platforms that could harm the reputation or interests of Raquel Pawnshop. This includes posting discriminatory, defamatory, or offensive content, as well as engaging in illegal or unethical behavior.

   11. Violation of this social media risk management policy may result in disciplinary action, up to and including termination of employment

DPC-2024-004-001

Data Breach Response Policy

Policy Statement

It is the policy of Raquel Pawnshop Inc., to establish procedures to be followed in the event of a data breach involving sensitive information and to ensure prompt and effective response to minimize damage, protect client data, and comply with legal and regulatory requirements.

1. Definition of terms

Data breach is an incident where sensitive, protected or confidential data is accessed, disclosed or otherwise compromised without authorization. Sensitive information are personal data including, but not limited to names, addresses, contact numbers, identification numbers, financial information and any other data that can identify an individual.

2. The Data Protection Committee will serve as the Data Breach Response Team and will be responsible for managing the data breach incident: 

          a. Incident Response Manager.

                             Catherine V. Cornejo, IT Manager/ DPO 

          b. IT Security Officer.

                             Rommel Jandusay, IT Supervisor 

          c. Public Relation Officers:

                             Lorell Antonette Lustica, Compliance Staff

                             Kayann Razol, HR Staff

                            Jerome Luna, AP Staff 

          d. Customer Service Officers:

                             Shiela May Esperanza, Marketing Supervisor

                             Mark Villanueva, Area Coordinator

3. All employees must report any suspicious activity or incidents that could indicate a data breach to their immediate head and the IT Security Officer.

4. Employees must use the Data Breach Reporting Form to provide details about the suspected breach

5. The IT Security Officer must assess the report and escalate it to the Incident Response Manager within 24 hours.

6. The data breach response team will conduct an initial assessment within 72 hours to determine: The nature and scope of the breach The types of data involved The potential impact on clients and the business

7. The IT Security Officer will work to contain the breach to prevent further data loss. Actions may include isolating affected systems, changing parswords, and disabling access within 24 hours.

8. The IT department will identify and eliminate the root cause of the breach and will apply necessary patches, updates, or changes to prevent recurrence within 72 hours

9. The Data Protection Officer shall notify the executive committee within 24 hours of confirming the breach.

10. The Data Protection Officer shall send a report to the NPC or the National Privacy Commission within 72 hours.

11. The Client Service Officer shall notify the affected clients within 72 hours, providing information on the breach, potential impacts, and steps they can take to protect themselves

12. The Data Breach Response Team shall conduct a thorough investigation to understand how the breach occurred and identify any security weaknesses within 72 hours.

13. There shall be a documentation of all the findings, including timelines, action taken, and final outcomes within 72 hours

14. The incident response manager shall compile a final report for the executive committee within 72 hour

15. The IT department shall implement measures to improve security and prevent future breaches within 72 hours.

16. The IT department shall restore the affected systems and ensure they are secure before resuming normal operations within 72 hours

17. The Data Breach Response Team shall conduct a post-incident review to evaluate the response and shall update the Data Breach Response Policy and Procedures based on the findings within 72 hours.

18. The Data Protection Committee shall provide quarterly training to employees on data security and breach response protocol

19. This policy shall be reviewed annually and updated as necessary to ensure its continued relevance and effectiveness

DPC-2024-008-002

Social Media Issues and Concerns Reporting Policy

Policy Statement

It is the policy of Raquel Pawnshop Inc., to provide clear guidelines for identifying, reporting, and addressing social media issues and concerns that could impact the pawnshop’s reputation, operations, or customers, including account hacking, impersonation, or fraudulent activity.

  1. Definition of terms

        Fraudulent Activities are scams, phishing attempts, or fake promotions linked to Raquel pawnshop.

        Hacked Accounts are unauthorized access to Raquel pawnshop’s official social media accounts.

        Impersonation or Fake Accounts are social media accounts using the Raquel pawnshop’s name, logo, or likeness to mislead customers.

        Inappropriate Content are posts or messages that violate social media policies or community standards.

  1. There shall be an assigned social media Officer from the Marketing department who will be responsible for monitoring accounts, identifying issues, and initiating the reporting process.
  1. Employees are required to report suspicious activity or concerns to the designated social media Officer.
  1. The social media Officer shall encourage the customers to report any fake accounts or suspicious activity to the pawnshop via email or phone.
  1. Reporting procedure:

               a. For Hacked Accounts

                       i. Secure the account by changing the password immediately and enable the two-factor authentication

                      ii. Use the platform’s security or support page (e.g., Facebook Help Center) to report the hack.

                     iii. Inform employees and customers through alternate channels about the compromised account.

                     iv. Record details such as the date and time of the hack and unauthorized actions taken.

               b. For Impersonation or Fake Accounts

                       i. Verify unauthorized use of branding, name, or likeness.

                      ii. Use the platform’s impersonation reporting tools to flag the account.

                     iii. Issue a public notice on official channels warning customers not to engage with the fake account.

                     iv. Track the report’s status and provide additional evidence if requested.

               c. For Fraudulent or Harmful Content

                       i. Document evidence, such as screenshots or links.

                      ii. Report the content using the platform’s reporting tools.

                     iii. Report the issue to law enforcement if it involves criminal activity

  1. The social media officer shall:
          a. use strong passwords and update them every 30 days.
          b. enable two-authentication on all social media accounts.
          c. limit administrative access to trusted personnel.
          d. conduct regular audits of official accounts for unusual activity.
          e. provide updates on resolution progress.
          f. educate employees on identifying and addressing social media threats.
          g. Analyze the cause of the issue and implement measures to prevent recurrence.
DPC-2025-02-03