In GDPR there is a new requirement for personal data incidents, which means that incidents need to be reported to the Security Authority within 72 hours. In order to meet the new obligations under the Regulation, it is important to have adequate procedures in place to detect, report and investigate personal data incidents.
Examinare has an incident team that manages the necessary coordination, communication, and responsibility to assess, respond to and learns from incidents to reduce the risk of recurrence. Depending on the nature and impact of the incident, the persons needed to manage the incident are involved. The process of handling is the basis for the flow, which, with complementary procedures, clarifies who does what and how the situation is to be addressed. The process is divided into sub-processes identification of incident, impact assessment, action process, communication and Root Cause Analysis (RCA).
When identifying an incident, an identification of the type of incident is needed. In the subprocess Impact assessment is an analysis of the extent to which customers and users are affected by the incident and what the consequences are. The Action Process takes place in assessing and prioritizing the problem in order to safeguard the action plan as well as the implementation of the action. In a personal data incident, the compilation of report which describes that we should include information about:
- What kind of incident is it?
- What categories of people may be affected?
- How many people does it concern?
- What consequences may the incident have?
- What measures have been taken to counteract any negative consequences?
Incidents and actions are communicated to affected persons. In case of personal data incidents, notification to the Integration Protection Agency is an activity in this subprocess. After actions have been taken and the affected person have been informed, a Root Cause Analysis is conducted to prevent the problem from occurring again.