Privacy incident response planning: a playbook for DPOs

Unless you have an unlimited budget, privacy incidents are a matter of WHEN, not IF. 

Therefore, as a DPO, you need to prepare yourself (and anyone else who should be involved) for potential incidents, just as you prepare for natural disasters with earthquake drills.

In this article, we explore the intricacies of creating an effective privacy incident response plan and the key components it should include to help you before, during, and in the aftermath of an incident.

What makes an effective incident response plan?

An effective plan should be:

1. Comprehensive — takes into account the entire incident response lifecycle, from preparation to post-incident review, as well as any legislation that may apply, and ensures that all necessary steps are covered.
2. Synergistic — it entails collaboration between different departments and stakeholders, including legal, IT, and HR, to ensure a timely coordinated response.
3. Customised and up-to-date — it matches the specific needs of the organisation as it grows and evolves. 
4. Tenable — developed in accordance with industry standards, best practices, and legal requirements, and can withstand scrutiny from regulators, customers, and the public. 
5. Regularly tested — you and your team need to know you can rely on this plan when tasked with meeting compliance deadlines, especially when deciding whether or not to notify regulators. 

Before we go any further, it's worth noting that you can't really build an effective response plan without a solid privacy management programme.

However, as this is a much larger topic and we’re not here to explore it (for that we suggest you start with one of our previously published articles: 7 proven tactics for a more successful privacy management program), let's move on and look at the key stages of your plan.

Pre-incident (preparation) 

Consider these 3 questions when preparing your plan:

Who is on your incident response team?  

Establish a dedicated incident response team, along with procedures, templates, and checklists for responding to privacy incidents. You should also identify and retain external service providers, such as cyber security experts and forensic investigators, so they are readily available to provide support in the critical first hours after an incident.

Here are 3 tips to consider in order to ensure that everyone is properly prepared to respond.

• Train regular staff to recognise incidents and stress the importance of reporting incidents in a concise and timely manner.
• Train your response team on procedures and tools to use during a data breach. Use real-world examples and perform privacy breach drills. Focus your training on optimal reaction methods per case, adequate communication within the organisation, and reasons for escalation or bringing in external resources.
• Advise the board and leadership teams on the requirements and resources needed for effective incident response.

What are the main sources of risk and how are they managed?

Assessing risk and ensuring the right controls are in place is an important part of preventing security incidents, and it's a job that requires close collaboration between the Privacy and InfoSec teams.

On the one hand, by looking at the underlying security information for the associated assets, the Privacy team can better understand what the potential security risks are for each relevant processing activity and how well they are being managed.

On the other hand, by understanding the risk severity of each activity, the InfoSec team can better understand which assets are used in critical activities and prioritise the resources needed to protect them.

If you want to explore the idea further, we’ve covered it in this previous article: Privacy management & information security — two sides of the data protection coin

How do you assess the effectiveness of controls? 

Regular auditing of existing controls against industry standards and best practices will help you identify any gaps or weaknesses and ensure that policies, procedures, and all required documentation are usable and up to date.

To improve efficiency, aim to create a central repository for risk and compliance information and implement a common audit plan for legal, security and privacy controls.

During an incident (response & recovery) 

The response and recovery phase of a privacy incident plan is critical to minimising harm to affected individuals and restoring your organisation's potentially damaged reputation. Here are the key steps in this phase:

1. Identify the cause — Determine the extent of the potential breach and the data affected. Coordinating with InfoSec is key.
2. Contain the breach — Once the cause has been identified, steps must be taken to contain the breach and prevent further harm. After detecting a breach, you should work to restore data protection to normal levels and update existing controls. 
3. Evaluate risks — The risks to affected individuals and internal operations should be assessed and documented. 
4. Determine if the incident qualifies as a notifiable breach — This is a crucial moment, as it can activate an entire component of the incident response plan, so we’ll unpack it in the next subsection of this article (Privacy incident communication & documentation).
5. Last, but not least, implement remediation actions — Remediation actions should address the root cause of the incident and restore the security of personal data. To be successful, you will need to ensure that your actions are closely aligned to business processes. In other words, your deployment should enable business in a minimally disruptive, secure, and compliant way. 

Privacy incident communication & documentation

Timely and effective communication with relevant stakeholders is essential during and after a privacy incident. Along with regulators, this includes employees, customers, and the media. 

If you are subject to the GDPR, data breaches must be reported to the supervisory authority within 72 hours of discovery.

According to the Regulation, “the notification [...] shall at least:

1. describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
2. communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
3. describe the likely consequences of the personal data breach;
4. describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.”

Tips:

• Define communication models towards the external environment: customers and partners, but also internally towards employees. Be aware, however, that any internal communication can leak out, so it is important to know what you are communicating, how you are communicating and to whom you are communicating.
• Prepare communication templates for common incident scenarios.

Post-incident (review and reporting)

A post-incident review should be conducted to identify areas for improvement and to ensure that lessons learned are incorporated into future planning and preparation efforts. 

This review should examine the entire incident response process, from planning and preparation to response and recovery, in order to identify any gaps, weaknesses, and opportunities for improvement.

Key metrics reports

In order to ensure the efficacy of a privacy incident response plan, it is important to regularly review reports on key metrics such as: 

• the volume, type, and sources of incidents, 
• the average interval between the incident and its reporting
• the interval between incident reports and notification decisions. 

These reports help to identify emerging risks and opportunities for improvement and can be instrumental in justifying privacy budgets and investments to decision-makers at the executive level.

Closing thoughts

As your organisation and the external environment change and evolve, it is essential that your incident response plan is regularly updated and tested to ensure it remains effective and usable.

And remember that incident management, like privacy management, is a team game. Everyone should be trained and ready to play their part.

—
Did you find this article helpful? Stay tuned for more by 📌 following our Social Media pages and/or 👉 subscribing to our Newsletter. We'll keep you up to date on topics such as Privacy Management, Information Security, and GDPR compliance.