The regulation defines a personal data incident as, for example, a security incident which leads to inadvertent or illegal destruction of, loss of or change to the personal data being processed. It might also be a question of a personal data incident or a security incident leading to unauthorised exposure or an authorised access to the personal data being processed. If a security incident occurs relating to personal data, for example hacking, this incident must be documented and reported to the Swedish Data Protection Authority within 72 hours It may also be necessary to inform the subject of the data, for example if there is a risk of identity theft or fraud. In order to be able to live up to the new obligations under the regulationit is important for departments or equivalent which process personal data to have sufficient procedures in place to be able to detect, report and investigate personal data incidents. 

Personal data incidents must be reported immediately to the University data protection ombudsperson (dso@su.se) who in turn shall reported to the Swedish Data Protection Authority.