As part of the implementation of the General Data Protection Regulation (GDPR) our Data breach Notification Procedure has been replaced by Kantar’s Data Incident Notification Procedure. What hasn’t been changed is that data breaches should be notified to the Dutch Data Protection Authority within 72 hours of becoming aware.
This web page informs Kantar’s employees and payroll employees as well as our freelancers and suppliers about how they can report a data incident or data breach in an easy manner.
In the event you know or suspect that a data incident or data breach has occurred you must follow these 4 steps immediately (within 6 hours):
- Complete the Data Incident form on the GDPR Konnect website, setting out as much details as possible about the issue (in English!).
- Raise a ticket with WPP’s IT Helpdesk, attaching the completed Data Incident form.
- Notify the Data Protection Officer Gillie Abbotts-Jones via GDPR@Kantar.com, copying firstname.lastname@example.org at the same time. In the subject, clearly refer to the event (data incident or data breach) and attach the completed Data Incident form.
- Notify the following persons at the same time, attaching the completed Data Incident form:
If you don’t have access to the Data Incident form and/or WPP’s IT Helpdesk, then please send an email to the persons mentioned in step 3 and 4. In this email, set as much details as possible about the issue. Indicate that you haven’t filled in a Data Incident form and/or informed WPP’s IT Helpdesk yet. Our Data Incident Coordinators will contact you to ensure these steps will be taken as soon as possible too.
What is a data incident or data breach?
A data breach
is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
A data incident
is a suspected
data breach or event in which personal data may have been lost.
means any information that relates to an identified or identifiable living individual. Think of:
- Name, address, post code, phone numbers, email addresses
- Date of birth
- Cookies, IP addresses, Geometric data (location)
- Passport or ID card number, Dutch Citizen Service Number (BSN) or social security number
- Access or identification information (e.g. username / password, client number or panel ID of NIPObase panelists)
- Videos and audio recordings
- Financial data (e.g. account number, credit card number)
- Sensitive personal data (e.g. race, ethnicity, criminal records, political beliefs, trade union membership, religion, sexual orientation, medical data)
- Answers to open questions or a combination of background variables, which may identify a respondent