GDPR Process - Incident Response Plan

Incident Response Plan

GDPR compliance means that your organization should be prepared to deal with data breaches, and provide for rapid counteractions to mitigate their impact.

Data breaches must be notified to supervisory authorities within 72 hours, or even less, if data breaches affect the freedom of natural individuals (GDPR Article 33). In addition, every affected person must be notified with the details about the incident.

To this end, your organization must define an incident response plan, as well as setup the right environment to mitigate the impact of data breaches.

Incident Response Plan - How To

Add Incident Response Plan for each Data Audit

In the edit page of the data audit, just click on the add (+) icon for the field "incident response plan". Then, you can insert all details about the incident response plan. In this case, incident response is helped by Attack Prophecy, thanks to its virtual patching mechanism that also covers zero-day (never-before-seen) attacks that may lead to data breaches.

Please note that in general, for each data breach detection technique, you should specify:

  • How breach response is possible: how data breaches can be effectively handled. This phase usually prefigures a well-suited recovery plan, and systems such as Attack Prophecy, capable to provide protection against unexpected behavior of your applications and users.
  • Data Breach Notification: notification procedures to the involved parties, including supervisory authorities.
  • Residual risk (of inadequate/missing response to data breaches): that is, an evaluation of the residual risk of not responding properly to data breaches given the specific incident response plan. This should be the output of a detailed risk analysis that evaluates likelihood and impact of data breaches for the considered data audit (in this case, identity documents) and incident response plan.

Add Data Breach Response Data Breach Response

Add Data Protection Impact Assessment (DPIA) for each Data Audit

In the edit page of the data audit, just click on the add (+) icon for the field "Data Protection Impact Assessment". Then, you can insert all details about the DPIA, uploading a PDF report.

Please note that DPIA

  • is mandatory prior to the data processing, if the managed data probably entails a high risk for the freedom and rights of individuals (GDPR article 35).
  • can be documented following our framework: it is interesting to note that the DPIA in fact needs to provide details about the risk evaluation/mitigation process in all previous phases, so it should be easier to produce it if you already determined Data Management Policy, Data Breach Detection and Incident Response (all such steps are driven by risk-based metrics, according to our framework).

Add Data Protection Impact Assessment (DPIA)