Hey, privacy spec!
In this post, we will go over some basics about incident management. While we focus on privacy related incidents, general concepts and techniques can be applied to all sorts of management of time critical business situations.
First, what is an incident? Narrowly speaking, the GDPR (and other privacy regulations alike) typically consider incidents as ‘data breaches’. Mainly these are situations where there’s a breach of confidentiality (data was disclosed to or otherwise accessed by someone who did not have the right to access the data). GDPR also states that unwanted availability or integrity changes of data are also ‘personal data breaches’ (see definition of ‘personal data breach’ in Article 4 of the GDPR).
Is the narrow approach enough? Not for privacy specs, whose task is to develop and implement a sustainable privacy program.
While each company is free to define and set the limits of what is considered an incident, it is good practice to also include any breaches of internal policies, procedures and requirements as incidents. This enables the company to gather and process information about situations which could mean or turn into regulatory non-compliance.
Example #1: an employee accidentally sends an email with plain text and unprotected attachment to a wrong recipient. There’s some confidential business information of a business partner as well as personal data of some clients. This is clearly an infosec incident (regarding confidential business info) as well as a ‘personal data breach’. Possibly the company has to make an external notification to the business partner, supervisory authority and the clients as well.
Example #2: due to a system error, the company sends out newsletter email to clients’ who have not given a marketing consent. While this is not a ‘personal data breach’ per legal definition, this might develop into a situation where the company is fined for its actions, as there is a breach of privacy principles. The company is not required to make any breach notifications.
How you define ‘incident’ will directly affect whether internal stakeholders are more likely to report impactful events which may result in fines and loss of reputation. It is worth to notice that appropriate incident discovery and management may provide a way out of any fines and claims.
What are important concepts in incident management?
- Audit trail – regardless of the severity of the incident, relevant information has to be kept. For accountability and legal reasons as well as to conduct ‘lessons learned’ part of the incident management.
- Duplicated access – If the incident management process is accessible by multiple positions or stakeholders, there are less likely bottlenecks and disruptions. As a bonus, people tend to be more responsible when the results of their actions (i.e maintaining the register of incidents) are available for others. Work in silos can get messy as ‘shortcuts’ are not understood by others.
- Transparent communications – all stakeholders (including the reporter of the incident) needs to have a clear understanding whether they have to do something or is their job done and further input from them no longer needed. Read: someone has to manage the communications regarding the incident, from reporting to escalation to external notifications to declaring the incident as resolved or finished.
- Lessons learned – find the cause and prevent it from happening again and/or add input to risk management (risk owner, approvers etc).
- Structured data – use and collect as much structured data as possible. This enables automation, data analysis and also boosts UX of incident reporting as well as management. Structured data can be produced if information is collected via forms (think of Office365 of Google Form) with checkbox and optional answers. Using Microsoft or Google solutions also enables access to useful metadata like date and time of reporting the incident.
If there is no clear way of data input (i.e forms are not used or feasible), the incident manager should at least apply structured data approach when manually adding the data to incident register.
For more information on how to create an incident management process, contact us or check out our training resources.