Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SOP Request] Reporting a Data Breach #18

Open
2 tasks done
M-casado opened this issue Jul 15, 2024 · 0 comments
Open
2 tasks done

[SOP Request] Reporting a Data Breach #18

M-casado opened this issue Jul 15, 2024 · 0 comments
Labels
enhancement New feature or request new-sop-request Label assigned to issues requesting a new GDI SOP

Comments

@M-casado
Copy link
Collaborator

SOP topics

Data protection & security

SOP type

European-level

SOP Title

Reporting a Data Breach

Detailed Description

  1. Immediate Internal Reporting:

    • Protocols for internal reporting within a GDI node as soon as a data breach is detected.
    • Designation of responsible personnel for initial breach reporting.

  2. Notification to European-level Authorities:

    • Detailed steps on how to notify relevant European-level authorities, including the European Data Protection Supervisor (EDPS) and other regulatory bodies, within the required timeframe (typically within 72 hours of becoming aware of the breach).
    • Information that must be included in the notification, such as:
      • Nature of the data breach.
      • Categories and approximate number of affected individuals and data records.
      • Likely consequences of the breach.
      • Measures taken or proposed to address the breach and mitigate its effects.

  3. Communication with Affected Parties:

    • Guidelines for communicating with affected individuals when the data breach is likely to result in a high risk to their rights and freedoms.
    • Templates and standardized messages for breach notifications.

  4. Coordination and Collaboration:

    • Procedures for coordinating with other GDI nodes and relevant stakeholders during the reporting process.
    • Guidelines for collaborative efforts in investigation and mitigation across different nodes.

  5. Documentation and Record-Keeping:

    • Requirements for documenting all breach reports, notifications, and communications.
    • Record-keeping standards to ensure compliance with legal and regulatory requirements.

  6. Follow-up and Monitoring:

    • Procedures for follow-up actions after the initial reporting, including updates to regulatory bodies and affected individuals.
    • Monitoring and review of the breach handling process to improve future responses.

  7. Training and Awareness:

    • Training requirements for staff to ensure they are familiar with the SOP and can effectively execute reporting procedures.
    • Regular awareness programs to keep staff updated on reporting protocols and any changes in regulatory requirements.

Motivation

There is currently a need for a standardized procedure for reporting data breaches at a European level within the GDI network. Without such a procedure, there is a risk of non-compliance with regulatory requirements, inconsistent communication with authorities and affected individuals, and ineffective breach management. This SOP will ensure that all GDI nodes report breaches in a timely and compliant manner, protecting the rights and interests of individuals and maintaining trust in the GDI network.

Existing Procedures or References

Impact

This SOP will ensure that data breach reporting is consistent and compliant with European regulations across all GDI nodes. It will enhance the overall security and trustworthiness of the GDI network by ensuring timely and effective communication with regulatory bodies and affected individuals. All GDI nodes and stakeholders will benefit from clear and standardized reporting procedures, reducing the risk of regulatory penalties and reputational damage.

Stakeholders

  • 1+MG Management Board
  • GDI Coordination Committee
  • IT security team
  • GDI central and nodes' Helpdesk
  • Node administrators
  • Legal and compliance teams
  • European Data Protection Supervisor (EDPS)
  • Other relevant regulatory bodies

Additional Information

Consider outlining specific examples of data breach scenarios and how the SOP should be applied in those cases. Include contact information for European-level authorities and any relevant templates for breach notifications.

Requester GDI role

Yes

Requester GDI Node

EMBL-EBI

Confirmation

  • I have searched the existing SOPs and this request does not duplicate an existing SOP.
  • I understand that submitting this request does not guarantee the creation of the SOP.
@M-casado M-casado added enhancement New feature or request new-sop-request Label assigned to issues requesting a new GDI SOP labels Jul 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request new-sop-request Label assigned to issues requesting a new GDI SOP
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@M-casado