SoftOne has a group (Incident Management) that manages the necessary coordination, communication and responsibility to assess, react to and learn from incidents to reduce the risk of them happening again. Depending on the nature and impact of the incident, the people required to handle the incident are involved. The process for handling is the basis for the flow, which with supplementary routines clarifies who does what and how the situation should be handled.

When identifying an incident, the type of incident in question is identified. In the Consequence Analysis sub-process, an analysis of the scope of which customers and users are affected by the incident and what the consequences will be. In the Action Process, assessment and prioritization of the problem takes place in order to secure the action plan and the execution of the action. In the event of a personal data incident, compiling a report is an activity, where we start from the Data Protection Inspectorate’s template which describes that we must include information about:

1. What type of incident it is
2. Which categories of persons may be affected
3. How many people it affects
4. What consequences the incident may have
5. What measures have been taken to counteract possible negative consequences

If the incident is classified as serious (Major), the process works according to the image above.

The incident and measures are communicated to those affected. In the event of a personal data incident, notification to the Data Protection Authority is included as an activity in this sub-process. After measures have been implemented and those affected have been informed, an experience report is carried out with the aim of preventing the problem from occurring again.