The GDPR contains requirements for personal data incidents. This means that incidents need to be reported to the Security Authority within 72 hours. In order to fulfill these obligations under the Regulation, it is important to have adequate procedures in place to detect, report and investigate personal data incidents.
If a program-related incident occurs, it may mean a personal data incident. A problem in Avista that generates incorrect data or missing data is categorized as an application-related incident. Should this data contain personal data, it also becomes a personal data incident. It may also be a personal data incident if a security incident leads to unauthorized disclosure or unauthorized access to the processed personal data.
Avista Time is responsible for managing the necessary coordination, communication and responsibility to assess, respond to and learn from incidents to reduce the risk of repetition. Depending on the nature of the incident and the impact on Avista, staff involved are required to handle the incident. The process of handling is the basis for the flow, which, with complementary procedures, clarifies who does what and how the situation is to be addressed. The process is divided into sub-processes identification of incident, impact assessment, action process and communication to those affected by the incident.
When an incident occurs, an identification of the type of incident is the issue. The impact assessment assesses the extent of the customers and users affected by the incident and what the consequences are. During the action, an assessment and prioritization of the problem is made to ensure a plan of action and the execution of the action. At a personal data incident, a summary report is written containing:
What kind of incident is it?
What categories of people may be affected
How many people it concerns
What consequences the incident may have
What measures have been taken to counteract any negative consequences.
Incidents and actions are communicated to those affected by the incident. In case of personal data incidents, notification to the Integrity Protection Authority is a part-time.
Information is provided via “avista message” and by email to the customers’ named contact persons.