Top of Page
Of course it is best if problems never happen. However, loss/theft of personal data and service suspensions are some management risks that cannot be avoided. GDPR fines can be enormous. As such, responding incorrectly to cases of personal data breach (loss/theft of personal data or large-scale service outages) can ruin a company's reputation, cause a company to cease operations, and/or result in massive fines. For this reason, the initial response to Supervisory Authorities regarding incidents, announcements made to data subjects, and designing appropriate post-action support policies are extremely important in reducing fines and other risks.
The IIJ GDPR Incident Management and Support Service coordinates with teams of our service users to handle sensitive and urgent issues such as submitting reports to Supervisory Authorities within 72 hours of an incident (*1), coordinating with related internal departments, and disclosing information to data subjects. We also provide other necessary functions, such as creating actual report documents, at our customer's request (*2).
As many companies rarely communicate with Supervisory Authorities and data subjects on a regular basis, IIJ experts will visit the concerned site when an incident occurs and work with the incident response team on-site to provide advice on how to properly submit reports and release information to Supervisory Authorities and data subjects in EU.
Many companies are not familiar with the actual reports that need to be submitted to Supervisory Authorities. Trying to create documentation from zero when an incident occurs is a sure way to failure. Internal accommodations also take up time and manpower, so outsourcing tasks such as document creation allows your organization to focus on collecting information, making the right decisions, and giving proper instructions. This service also performs various tasks, such as creating necessary documents, per your request.
GDPR requires companies to submit reports to Supervisory Authorities within 72 hours once a controller realizes that a personal data breach has occurred (*1). The period of initial investigation does not count as the state of awareness (*1). If the period of initial investigation is long, it is certainly possible to submit the report within 72 hours. If a third party submits a report before you to the Supervisory Authority indicating that personal data was stolen/lost or a large-scale service outage has occurred, fines will be severe in this case. For this reason, it is critical for companies to submit an initial report to the Supervisory Authorities as soon as possible.
By subscribing to this service, there is no need to worry about contract procedures during an incident. We will immediately be available to provide support during such situations.
It is necessary, however, to have a sufficient understanding of the service user's system/organization for handling personal data beforehand. For this reason, we highly recommend that you also have a contract for the IIJ DPO Outsourcing Service or IIJ GDPR Second Opinion Service.
Providing incident support requires urgency, important decision-making, and the intensive focus to perform these tasks. Experts may need to perform work at night, weekend, or on holiday, which results in significant cost.
Supervisory Authorities typically conduct audits on companies whenever they experience an incident. This means it is critical to devise appropriate post-action plans and to establish an organization to implement the new policies. The expense to have such temporary support from experts also tends to be quite costly. These costs are covered by insurance policies that include special GDPR clauses. We recommend to effectively use insurance in this way. We can also provide recommendations on insurance programs that offer GDPR clauses.
(Japanese text only)
End of the page.