a) Details of Data Protection Breach

Details of the Incident

Incident Date

How did the Incident happen

Reason for the delay in reporting the incident to the Commissioner (if any)

What measures did you put in place to prevent the incident from occurring?

Details of Policies & Procedures in place that are considered relevant to the incident

Policies & Procedures Implementation Date

b) Personal Data at Risk

Details of Personal data that has been placed at risk

Details of affected financial or sensitive data

Number of affected individuals

Are the affected individuals aware of the incident?

Potential detriment to individuals and adverse effect on those individuals

Have any affected individuals complained to the Data Controller

Has the organization taken any action to minimize/mitigate the effect on the affected individuals?

Has the data placed at risk now been recovered?

Steps that the Data Controller has taken to prevent a recurrence of the incident

c) Data Processors (Third Party)

Was the incident a result of a breach by a Data Processor? (If No, skip to Training and Guidance)

What action(s) did the Processor take to minimise/mitigate the effect on the affected individuals?

Were there any contractual obligations with the Processor regarding the use of personal data?

Did the contractual obligations include technical and organisations regarding security?

Do you consider the incident has breached any contractual obligations or safeguards?

What action have you taken with regard to the Processor?

d) Training and Guidance

As a Data Controller did you provide your staff with training on the requirements of the Data protection Regulations?

Is the training mandatory for all staff?

Had all of the staff members involved in this incident received training?

As the Data Controller are you providing any detailed guidance to staff on the handling of personal data in relation to the incident you are reporting?

e) Previous Reports

Have you reported any previous incidents to the Commissioner in the last two years?

g) Miscellaneous

Have you notified any other (overseas) data protection authorities about this incident?

Have you informed the Police about this incident?

Has there been any media coverage of the incident?

1)      Under Article 32 of ADGM’s Data Protection Regulations 2021, Data Controllers must notify the Office of Data Protection of personal data breaches without undue delay and, where feasible, not later than 72 hours after becoming aware of them.

2)      Data Controllers must inform the Office of Data Protection of a data breach. ‘Data Controller’ means any ADGM registered entity that alone or jointly with others determines the purposes and means of the processing of Personal Data. A representative of the Data Controller should make the notification to the ADGM Office of Data Protection on behalf of the Data Controller.

The notification must include the following information:

·         a description of the nature of the breach including

o   categories and approximate numbers of data subjects concerned; 

o   categories and approximate numbers of personal data records concerned;

·         the name and contact details of your data protection officer or other contact person who can provide more information;

·         the likely consequences of the breach; and

·         a description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its possible adverse effects if appropriate.

https://adgmen.thomsonreuters.com/rulebook/data-protection-regulations-2021