As part of the implementation of the General Data Protection Regulation (GDPR) our Data breach Notification Procedure has been replace by Kantar’s Data Incident Notification Procedure. What hasn’t been changed is that data breaches should be notified to the Dutch Data Protection Authority within 72 hours of becoming aware.
Using this web page, Kantar’s employees and payroll employees as well as our interviewers, freelancers and suppliers can report a data breach in an easy manner.
In the event you know or suspect that a data incident or data breach has occurred you must follow these 4 steps immediately (within 6 hours):
1. Complete the Data Incident form
setting out as much details as possible about the issue (in English!).
2. Employees and payroll employees
: Raise a ticket with the IT Helpdesk, attaching the completed Data Incident form.
3. Employees and payroll employees
: Notify the Data Protection Officer Gillie Abbotts-Jones via GDPR@Kantar.com
, copying firstname.lastname@example.org
at the same time. In the subject, clearly refer to the event (data incident or data breach) and attach the completed Data Incident form.
4. Employees and payroll employees
: Notify your line manager and our Data Incident Coordinators (Bern Kreleger en Remco van ’t Hoff) at the same time, attaching the completed Data Incident form.
Interviewers, freelancers and suppliers
: Notify our Data Incident Coordinators (Bern Kreleger en Remco van ’t Hoff) at the same time, attaching the completed Data Incident form.
What is a data incident or data breach?
A data breach
is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
A data incident
is a suspected
data breach or event in which personal data may have been lost.
means any information that relates to an identified or identifiable living individual. Think of:
- Name, address, post code, phone numbers, email addresses
- Date of birth
- Cookies, IP addresses, Geometric data (location)
- Passport or ID card number, Dutch Citizen Service Number (BSN) or social security number
- Access or identification information (e.g. username / password, client number or panel ID of NIPObase panelists)
- Videos and audio recordings
- Financial data (e.g. account number, credit card number)
- Sensitive personal data (e.g. race, ethnicity, criminal records, political beliefs, trade union membership, religion, sexual orientation, medical data)
- Answers to open questions or a combination of background variables, which may identify a respondent
Can you give me examples of reportable data incidents?
- Email or attachment sent to the unintended recipient(s) (internal or external) containing personal data.
- Company data product that may have disclosed / displayed containing personal data.
- Lost data storage media like USB sticks, drives, recording equipment, CDs containing possibly personal data, which should be report immediately regardless of whether you believe it can be reclaimed.
- Loss, theft of any office data equipment (e.g. laptops or phones) containing possibly personal data. Should be report immediately regardless of whether staff believe it can be reclaimed.
- Loss, theft of any hardcopy records, files, documents, mailings, materials containing personal data.
- Loss, theft of any briefcase, bag etc. containing work related materials like hard copy files, storage media, laptop, tablet computers, phone, etc.
- Any loss, theft of any of the above regardless of circumstances. For example, data loss theft from events involving: automobile, train, airplane, taxi, hotel, restaurant, home or other locations.
- Any breach of IT security, whether or not you have confirmation that data has been lost or accessed.
What else does Kantar expect from me?
- When in doubt (for example, because it is unclear if any personal data is involved) act if there has indeed been a data incident. It is better to report once too many times than once too few!
- Don’t attempt to make the determination about the severity or whether escalation or notification is needed. The determination of this should be done in cooperation with our Data Protection Officer and WPP Legal.
- Don’t perform external notifications (e.g. to clients or someone else) without consultation and direction by our Data Protection Officer and WPP Legal.