Incident management under GDPR
Author: Igor Streharski, Data Privacy Lead Consultant @ Poslovna inteligencija
In information technology an incident is an occurrence where a service or component fails to provide a feature or service that it was designed to deliver. A security incident is a specific incident type indicating that an organisation’s systems or data have been compromised.
A data breach is a confirmed security incident in which sensitive, confidential or otherwise protected data has been accessed and/or disclosed in an unauthorised fashion. Data breaches may involve personal health information, personally identifiable information, trade secrets or intellectual property.
Within the domain of data privacy when we mention breaches we implicitly think of personal data breaches, which are defined by GDPR as breaches of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
GDPR articles 33 and 34 provide stipulations for notification of personal data breaches to the supervisory authority and to data subjects respectively. Thus data controllers are obliged to communicate all relevant details about a breach to the supervisory authority without undue delay and not later than 72 hours after they have become aware of it, with any prolongations additionally justified. The details that need to be disclosed to the supervisory authority include, but are not limited to categories and approximate number of data subjects affected by the breach, as well as categories and approximate number of personal data records that were compromised. Furthermore, data controllers must maintain records of all personal data breaches, any related facts about those breaches, their consequences and all actions taken to remediate them. Such records will then be reviewed by the supervisory authority in order to verify compliance.
Data subjects, on the other hand, must be notified about a data breach as soon as it occurs (GDPR parlance is without undue delay). This is especially true when a high risk to the rights and freedoms of data subjects might exist as a result of the breach. The breach notification to data subjects must use clear and understandable language, including the same pieces of information that need to be communicated to the supervisory authority.
Having in mind all that has been mentioned above, it is obvious that our Data Privacy Manager, which is a central orchestration tool for a data protection officer within an organisation, is the ideal place where records related to any and all personal data breaches are kept.
It is important to say that the tool only deals with confirmed data breaches. This is because any organisation over the course of normal operation might have many incidents, of which only a subset (hopefully none!) will turn into data breaches. Furthermore, we only record the facts that facilitate a data protection officer in performing his or her tasks, as stipulated by the GDPR. This implies that any steps in incident lifecycle (e.g. incident identification, incident containment, etc.) which have to be carried out are not of a data protection officer’s concern, and are thus out of scope for Data Privacy Manager as well. These will, of course, need to be performed on various systems where the data are actually stored, by their owners. What a data protection officer is really interested in is:
- When an incident occurred;
- How many data subjects have been affected;
- Were there any special categories of personal data; and
- Which originating systems stored the data – for the purpose of cross-referencing with the Data Privacy Manager’s register of processing activities which contains the description of measures used to protect the data in the first place.
With all this information a data protection officer can make an informed decision about the impact a breach might have on affected data subjects, whether supervisory authority should be notified, and to take any additional steps in line with the regulation.
Data Privacy Manager’s Incident Management module also provides a data protection officer with a central repository of all past communication between the organisation and data subjects, and between the organisation and the supervisory authority. In any cases where there was no need to notify the supervisory authority, a data protection officer can provide explanation as to why such decision was made.
Finally, the Incident Management module also allows for links to internal organisation’s ticketing system to be added, just in case a need ever arises to dig deeper into the origins and resolution status of a breach.
By implementing Incident Management module, our Data Privacy Manager once again demonstrates that it is the only truly mature and complete tool for the data protection officer in your organisation!
If you would like to test the solution please do not hesitate to contact us!