Every organisation needs an incident response policy. Has your organisation been the victim of a data privacy incident? In all likelihood, you probably have – and you may not even know about it. An incident in the context of data privacy is any event which makes it possible for someone to gain unauthorised access to personal information. For example, losing an unencrypted laptop, giving up passwords in a phishing attack, or an employee sending business information out of your organisation without your permission.
They happen all the time, and will continue to happen – even if you do your best to guard against them. This poses significant risks to your organisation in the form of reputational damage, onerous regulatory investigations, fines or imprisonment.
What can you do about it? You can prepare yourself to respond properly. We can help you do that with an Incident Response Policy.
Why is your response to an incident important?
When an incident happens, people have questions. Your customers want to know what happened to their information, the Regulator will want to know what you are doing to manage the incident, and your competitors may ask themselves how they can exploit your misfortune.
You need to handle these questions to minimise the risks of the incident. A response is a written or verbal (where appropriate) answer to the questions posed by the incident. But, how you respond will determine how the incident affects your organisation.
If you respond badly, it could make things worse. But, if you respond well – you could resolve the incident and even prevent future incidents from happening. Remember that data breaches cause harm.
How should you respond to an incident?
Responding to an incident properly involves five steps:
- Identify the incident – establish whether an incident has actually occurred or not and then understand its scope to ensure that your response is proportional;
- Getting your personnel to report the incident – get a written description of the incident in sufficient detail for you to formulate a meaningful response;
- Have the incident properly escalated – escalate incidents appropriately so that they can be dealt with by the correct people;
- Respond to the incident – actually respond to the incident, which is the most important step because the cost of an incident is determined by how well you respond to it; and
- Evaluate your response to the incident – evaluate the outcome of your response to see how well it worked and whether you need to do anything else to manage the incident.
What is an Incident Response Policy?
An Incident Response Policy is a written document that:
- guides you in handling an incident systematically by giving you a process for doing so
- gives your Data Protection Officer a tool that they need to carry out some of their most important functions in terms of relevant data protection legislation (such as GDPR, DPA, or POPIA)
- helps you identify incidents and categorise them
- gets your employees to report incidents in sufficient detail to address them
- enables you to escalate incidents effectively based on their severity to the correct people to be dealing with them
- allows you to respond to incidents well by helping you allocate the correct resources, establish a response team, and comply with your notification obligations
- helps you improve how you handle incidents by encouraging you to evaluate your response by analysing it, answering feedback, and updating your process accordingly