Incident Management

If a software-related incident occurs, it can lead to a personal data breach. A problem in Organizer that generates incorrect or missing data is categorized as a software-related incident. If this data contains personal information, it also becomes a personal data breach. A personal data breach can also occur if a security incident leads to unauthorized disclosure of or unauthorized access to the personal data being processed.

Incident ProcessThe process is divided into the sub-processes of incident identification, consequence analysis, action process, communication, and Root Cause Analysis (RCA). During the incident identification, the type of incident in question is identified. In the Consequence Analysis sub-process, an analysis is performed on the extent to which customers and users are affected by the incident and what the consequences will be. In the Action Process, the problem is assessed and prioritized to ensure an action plan and the implementation of the action. In the event of a personal data breach, compiling a report is an activity, where we use the Swedish Authority for Privacy Protection’s template which states that we must include information about: • The type of incident in question • Which categories of people may be affected • How many people are affected • The potential consequences of the incident • The measures taken to counteract any negative consequences. The incident and the actions taken are communicated to those affected. In the case of a personal data breach, reporting to the Swedish Authority for Privacy Protection is an activity in this sub-process. After the actions have been implemented and those affected have been informed, a Root Cause Analysis is conducted with the aim of preventing the problem from recurring.