Incident management at SoftOne

The data protection regulation (GDPR) requires that personal data incidents be reported to the Data Protection Authority within 72 hours. In order to fulfill the new obligations according to the regulation, it is important to have sufficient procedures in place to be able to detect, report and investigate personal data incidents.

What is an incident?

If a program-related incident occurs, it may mean that it becomes a personal data incident. A problem in SoftOne’s software that generates incorrect data or missing data is categorized as a software related incident. Should this data contain personal data, it will also be a personal data incident. It can also become a personal data incident if a security incident leads to unauthorized disclosure of or unauthorized access to the processed personal data.

Incident Process

SoftOne has a group (Incident Management) that manages the necessary coordination, communication and responsibility to assess, react to and learn from incidents to reduce the risk of them happening again. Depending on the nature and impact of the incident, the people required to handle the incident are involved. The process for handling is the basis for the flow, which with supplementary routines clarifies who does what and how the situation should be handled.

When identifying an incident, the type of incident in question is identified. In the Consequence Analysis sub-process, an analysis of the scope of which customers and users are affected by the incident and what the consequences will be. In the Action Process, assessment and prioritization of the problem takes place in order to secure the action plan and the execution of the action. In the event of a personal data incident, compiling a report is an activity, where we start from the Data Protection Inspectorate’s template which describes that we must include information about:

  1. What type of incident it is
  2. Which categories of persons may be affected
  3. How many people it affects
  4. What consequences the incident may have
  5. What measures have been taken to counteract possible negative consequences

If the incident is classified as serious (Major), the process works according to the image above.

The incident and measures are communicated to those affected. In the event of a personal data incident, notification to the Data Protection Authority is included as an activity in this sub-process. After measures have been implemented and those affected have been informed, an experience report is carried out with the aim of preventing the problem from occurring again.

Search our site