Scheme for Personal Data Breach Management

This certification scheme is developed to assess compliance with the requirement of the General Data Protection Regulation for data controllers/processors to implement a data breach management process and respond to a personal data breach promptly.

It applies to:

  • controllers, including an organisation that makes its own decision to select and utilize personal data to train an artificial intelligence system;
  • processors,  including artificial intelligence system providers who select personal data and train systems under the direction of a controller, established in the Union;
  • processors, including artificial intelligence system product manufacturers, importers and distributors not in the Union, engaged by controllers and processors established  in the Union;
  • processing of personal data of data subjects in the Union by a controller or processor, artificial intelligence system product manufacturer, importer and distributor, that is not established in the Union;
  • processing of personal data of data subjects in the Union by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law. 

 

Outline of the Personal Data Breach Management Scheme

 

The General Data Protection Regulation (GDPR) introduced the requirement for a personal data breach to be notified to the competent national supervisory authority  (or in the case of a cross-border breach, to the lead authority) and, in certain cases, to communicate the breach to the individuals whose personal data have been affected by the breach.

This certification scheme targets the personal data breach management process performed by data controllers and processors and includes all personal data breach management activities. It applies to controllers and processors with processing operations located in the Union and those of processors outside the Union engaged by controllers located in the Union and covers:

  • Effective governance of the data breach management process
  • Personal information breach identification training for staff
  • Personal information breach policies
  • Personal information breach management responsibilities of the responsible party
  • Personal information breach handling obligations of operators
  • Planning and preparing personal data breach responses
  • Personal information breach prevention measures
  • Personal information breach detection measures
  • Personal information breach management records
  • Personal information breach risk assessment
  • Personal information breach classification
  • Operator personal information breach reporting
  • Responding to a personal information breach
  • Escalation of a personal information breach
  • Controller personal information breach reporting
  • Mitigating the possible consequences of a personal information breach
  • Recovering from a personal information breach
  • Notifying the DPC of a personal information breach
  • Notifying data subjects of a personal information breach
  • Working with law enforcement personnel
  • Remediation of a personal information breach
  • Cross-border information breach reporting.

.