The spanish data protection (AEPD) has presented the ‘ road map for the management and notification of the security gaps ’ alongside ISMS Forum and in collaboration with the centre National Cryptologic (NCC) and INCIBE. The aim of this document is to offer both preventive recommendations as a plan of action, so they know how to avoid them and how to proceed in the event of crises.
Prior to the implementation of the RGPD, the obligation to notify the agency security gaps that may affect personal concern exclusively to electronic communications services and service providers of confidence. Since 25 may, this obligation becomes applicable to any person responsible for the processing of personal data, which underlines the importance that all actors know how to manage.
In accordance with the rules of procedure, when the person responsible for treatment is aware that there has been a gap of the security of personal data must be notified without delay to the competent supervisory authority, and no later than 72 hours after having had to be put on record. This notification to the agency must be conducted unless it is unlikely that the security gap is a risk to the rights and freedoms of natural persons.
If the security breach entails a high risk for the rights and freedoms of others (such as, for example, illicit access to users and passwords of a service), in addition to the communication to the supervisory authority responsible for the treatment must also inform affected the security gap with clear, concise language and in a concise and transparent.
The ‘ road map for the management and notification of the security gaps ’ is directed to responsible for treatment of personal data with the aim of facilitating the implementation of the RGPD with regard to the obligation to notify the competent authority and, where appropriate, to those affected, so that the notice to the competent authority must be made at the appropriate channel, contains useful information and appropriate to the new demands of the RGPD. To develop the document has also become involved with the participation of many professionals and experts in this sector, reflecting the experience and knowledge of companies that are in place procedures for the management of security incidents.
This guide is intended to cover the wide range of spanish business fabric, both smes and large companies and, similarly, it may be helpful to those responsible and responsible for public administrations involved in managing security gaps.
The document is organized into five broad categories: the first is dedicated to the detection and identification of gaps, including details on how it must be prepared for the organization; the second includes a section devoted to the plan of action, which outlines the basics on how to proceed to an incident; below provides details on how to look at the precision and, finally, is growing worse in the process of response and notification of the same to the supervisory authority.
Finally, the notification of a breach of the security council does not imply the imposition of a penalty directly, as it is necessary to analyse the diligence of accountable and responsible and the measures taken.
The launch of the ‘ road map for the management and notification of the security gaps ’ complete manuals of aid that the spanish data protection agency has submitted to facilitate the adaptation of the RGPD, including the list of compliance and guidelines for responsible for treatment of personal data, compliance with the duty to inform, drafting of agreements between responsible and responsible, risk analysis and impact assessments, as well as the tool Facilitates _ RGPD for companies seeking low risk data.