Читать книгу Privacy & Data Protection Practitioner Courseware - English - European Institute of Management and Finance (EIMF) - Страница 17

The privacy team has just implemented a privacy and data protection program. The next step is now to develop a set up for a data privacy breach response plan. Divide the roles of the data protection officer (DPO) and two employees in charge of privacy tasks among a privacy team of three candidates.

Divide the below elements among the three of you and construct a data privacy breach response plan that contains at least the following elements:

1. A definition of what constitutes a data privacy breach

2. Categories of data privacy breaches (based on impact and severity)

3. Detailed scenarios & instructions for each category

4. Contact information:

a. Departments and internal stakeholders that should be involved in a data breach response.

b. Supervisory authority

c. Third parties providing services for remediation

5. A set of draft documents to be used for notifying the supervisory authority and the affected individuals and for informing the media

6. Metrics on data privacy breaches

In addition to this the following documents should be available:

7. Logs that prove that the data privacy breach response plan is tested periodically

8. Reports of data privacy breaches that have previously occurred, incl. root cause analyses

9. Each of the team members thinks of a personal data breach that could occur to the personal data processed by Quazle.

The personal data breaches should be:

-considered as such by the General Data Protection Regulation (GDPR) and the applicable Literature

-plausible in this case scenario

10. Imagine you discover that one of the three personal data breaches the team members have proposed has indeed happened. Apply the newly elaborated data privacy breach response plan in this specific case. Divide the tasks according to the legal requirements for the roles of the DPO on the one side and the other roles on the other side.

11. Describe what you should do to contain the data breach and subsequently investigate it.

12. Motivate why you should or should not notify the supervisory authorities and the individuals affected.