Breach process/procedure templates

You have had a personal data breach, and the clock starts ticking. You have 72 hours to decide if a report must be sent into the Data Protection Authority.

Here is a flow, to help you in this 72 hour window.

Add breach to register

The breach register can be found under the main menu Risks.

Once you add the date of the breach, the deadline of 72 hours will be added automatically.

In this example it has been decided to inform the customer of the incident, even though a high risk to their rights and freedoms are not identified. This can be added to the box on 'Justification on communication decision'.

Mitigations and remediations

What is the difference between a mitigation and a remediation? The first image on the left shows the order and relationship between why and risks with mitigate and remediate.

In the second image on the left:

  • The customer has been contacted, so they are aware of the incident;

  • The assessed risk is low;

  • Why it happened? This is a common type of incident and could be avoided if the contracts were sent direct from the CRM application. 

Decision to report to the Data Protection Authority

If the personal data breach presents a high risk of harm to the rights and freedoms of the natural person, it must be reported to either the Data Protection Authority (DPA) or the data controller.