Incident management

In order to meet the obligations regarding incident management under GDPR, it is important to have adequate on-site procedures to detect, report and investigate personal data incidents.

A problem in Glykol AB’s services that generate incorrect data or missing data is categorized as a program-related incident. Should this data contain personal data, it also becomes a personal data incident. It may also be a personal data incident if a security incident leads to unauthorized disclosure or unauthorized access to the processed personal data.

Incident Process
Glykol AB has a routine for necessary coordination, communication and responsibility to assess, respond to and learn from incidents to reduce the risk of recurrence. The process is divided into sub-processes identification of incident, impact assessment, action process, communication and Root Cause Analysis (RCA). In a personal data incident, compilation of report is an activity, based on the privacy authority’s template which describes what information we should include. Incidents and actions are communicated to affected persons affected. In case of personal data incidents, notification to the Integritetsskyddsmyndigheten is an activity in this subprocess. After actions have been taken and the affected have been informed, a Root Cause Analysis is conducted to prevent the problem from occurring again.