Close this search box.
AI-based solution designed to automate personal data discovery and classification
Discover personal data across multiple systems in the cloud or on-premise
Harbor cooperation between DPO, Legal Services, IT and Marketing
Turn data subject request into an automated workflow with a clear insight into data every step of the way
Collaborate with stakeholders and manage DPIA and LIA in real-time with Assessment Automation
Guide your partners trough vendor management process workflow
Identifying the risk from the point of view of Data Subject
Quickly respond, mitigate damage and maintain compliance
Consolidate your data and prioritize your relationship with customers
Privacy portal allows customers to communicate their requests and preferences at any time
Introducing end-to end automation of personal data removal

Latest Blog posts

Learn the terms

General Data Protection Regulation

Here you can find the official content of the Regulation (EU) 2016/679 (General Data Protection Regulation) in the current version. All Articles of the GDPR are linked with suitable recitals.

Latest papers

Incident management under the GDPR

Incident management under the GDPR

Author: Igor Streharski, Data Privacy Lead Consultant @ Poslovna inteligencija

Incident management is a term you might be very well aware of by now. However, you must be wondering how different is incident management under the General Data Protection Regulation?

In information technology, an incident is an occurrence where a service or component fails to provide a feature or service that it was designed to deliver. A security incident is a specific incident type indicating that the organization’s systems or data have been compromised.

A data breach is a confirmed security incident in which sensitive, confidential or otherwise protected data has been accessed and/or disclosed in an unauthorized fashion.

Data breaches may involve personal health information, personally identifiable information, trade secrets or intellectual property.

We encourage you to read “What is a DPIA and how to conduct it? [Video & Infographics]

Incident management according to the GDPR

Within the domain of data privacy when we mention breaches we implicitly think of personal data breaches, which are defined by GDPR as:

 Breaches of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

GDPR articles 33 and 34 provide stipulations for notification of personal data breaches to the supervisory authority and to data subjects respectively.

Thus, data controllers are obliged to communicate all relevant details about a breach to the supervisory authority without undue delay and no later than 72 hours after they have become aware of it. Any prolongations need to be additionally justified.

The details that need to be disclosed to the supervisory authority include, but are not limited to categories and an approximate number of data subjects affected by the breach, as well as categories and an approximate number of personal data records that were compromised.

Furthermore, data controllers must maintain records of all personal data breaches, any related facts about the breaches, their consequences and all actions taken to remediate them.

Such records will then be reviewed by the supervisory authority in order to verify compliance. Data subjects must be notified about a data breach as soon as it occurs (GDPR parlance is without undue delay).

This is especially true when a high risk to the rights and freedoms of data subjects might exist as a result of the breach. The breach notification to data subjects must use clear and understandable language, including the same pieces of information that need to be communicated to the supervisory authority.

Reporting data breach under the GDPR

Data Privacy Manager’s Incident Management module

Incident management under the GDPR

Having in mind all that has been mentioned above, it is obvious that the Data Privacy Manager, which is a central orchestration tool for a data protection officer within an organization, is the ideal place where records related to any and all personal data breaches are kept.

It is important to say that the tool only deals with confirmed data breaches. This is because any organization over the course of normal operation might have many incidents, of which only a subset (hopefully none!) will turn into data breaches.

Furthermore, we only record the facts that facilitate a data protection officer in performing his or her tasks, as stipulated by the GDPR.

Data Protection Officer’s responsibilities

This implies that any steps in the incident lifecycle (e.g., incident identification, incident containment, etc.) which have to be carried out are not of a data protection officer’s concern, and are thus out of scope for the Data Privacy Manager as well.

These will, of course, need to be performed on various systems where the data are actually stored, by their owners. What a data protection officer is really interested in is:

  • When an incident occurred
  • How many data subjects have been affected
  • Were there any special categories of personal data
  • Which originating systems stored the data – for the purpose of cross-referencing with the Data Privacy Manager’s register of processing activities which contains the description of measures used to protect the data in the first place.

With all this information a data protection officer can make an informed decision about the impact a breach might have on affected data subjects, whether the supervisory authority should be notified, and take any additional steps in line with the regulation.

Data Privacy Manager’s Incident Management module also provides a data protection officer with a central repository of all past communication between the organization and data subjects, and between the organization and the supervisory authority.

In any case, where there was no need to notify the supervisory authority, a data protection officer can provide an explanation as to why such a decision was made.

Finally, the Incident Management module also allows for links to the internal organization’s ticketing system to be added, just in case a need ever arises to dig deeper into the origins and resolution status of a breach.

By implementing the Incident Management module, our Data Privacy Manager once again demonstrates that it is the only truly mature and complete tool for the data protection officer in your organization!

Request a Data Privacy Manager demo

Let us navigate you through the Data Privacy Manager solution and showcase functionalities that will help you overcome your compliance challenges.

Scroll to Top