You should have a Personal Data Breach Policy that sets forth a plan on how to respond to a Personal Data Breach. Having and implementing such a plan helps protect an organization from a Personal Data Breach and enable the timely response if a Personal Data Breach is suspected or occurs.
Given these reasons for having a Personal Data Breach Policy, an organization should consider having a Personal Data Breach Policy that discusses:
- How to determine whether a Personal Data Breach has occurred
- How to preliminarily address the incident
- How to investigate the incident
- How to document the incident and what information to include in the documentation for both
- Internal documentation (e.g. recordkeeping)
- External documentation (e.g. notifying regulators and/or individuals)
- The roles of the personnel who should be on the Incident Response Team
- Internal personnel (e.g. Chief Security Officer)
- External personnel (e.g. outside counsel)
- The need to determine any remediation strategy
- Examples of potential remediation strategies
- The need to include in third-party contracts the responsibilities of processors in the event of a suspected or identified Personal Data Breach
These topics are examples of subjects that you should consider including in a Personal Data Breach Policy. There may be additional subjects that it may be appropriate for you to include in such a Policy, and it may, under some circumstances, be appropriate for you to not include some of the above listed topics in your Personal Data Breach Policy.
This blog is the 28th in a series of blogs that explains, in bite size pieces, what needs to be done to put the GDPR into practice and how GDPRsimple, http://www.keepgdprsimple.com, an automated web and mobile tool can help SMEs implement the GDPR and demonstrate their implementation. Each of the bite size pieces is part of one of the eight topics in GDPRsimple.
Next blog: How is security of processing assessed?