Incident Management
The GDPR contains requirements for personal data incidents. This means that incidents need to be reported to the privacy protection authority within 72 hours. In order to fulfill these obligations according to the regulation, it is important to have sufficient procedures in place to be able to detect, report and investigate personal data incidents.
Incident
If a program-related incident occurs, it may mean that it becomes a personal data incident. A problem in Avista that generates incorrect or no data data is categorized as a software-related incident. Should the incorrect data contain personal data, it will also be a personal data incident. It can also become a personal data incident if a security incident leads to unauthorized disclosure of or unauthorized access to the processed personal data.
Incident Process
Avista Time has managers who manage the necessary coordination, communication and responsibility to assess, react to and learn from incidents to reduce the risk of recurrence. Depending on the nature of the incident and the impact on Avista, personnel required to handle the incident are involved. The process for handling is the basis for the flow, which with supplementary routines clarifies who does what and how the situation should be handled. The process is divided into the sub-processes of incident identification, impact analysis, action process and communication to those affected by the incident. When an incident occurs, the type of incident is identified. In the impact analysis, the scope is assessed, which customers and users are affected by the incident and what the consequences will be. During the action phase, an assessment and prioritization of the problem is made to ensure an action plan and the implementation of the action. In the event of a personal data incident, a report is written containing:
-
What type of incident it is
-
Which categories of persons may be affected
-
How many people it affects
-
What consequences the incident may have
-
What measures have been taken to counteract possible negative consequences.
The incident and measures are communicated to those affected by the incident. In the event of a personal data incident, notification to the Swedish Data Protection Authority is part of the process.
Information is provided via so-called "spot notice" and/or via e-mail to the customers' named contact persons.