5 Tips for Privacy Incident Planning

Mike Ogden

Recent events provide a teachable moment for privacy programs and highlight the importance of being prepared should a breach occur.

Twitter just announced it could face $250M in fines over improper data use. GDPR has generated 347 fines totaling over $207M. And in California, ballot Proposition 24 could expose companies to a host of new potential data privacy violations if it passes this November.

To ensure privacy regulations don’t slap your organization with a hefty fine for a data breach, revisit your procedures for managing a privacy incident. Chances are, your company has an incident response plan, but is it ready for a privacy incident? Here are five tips:

1. Test policies and procedures
Have you tested your policies and procedures around a privacy incident? Dry runs that involve all stakeholders (legal, human resources, public relations, customer service, security, IT, third parties and executive staff) lead to learnings that can help prevent privacy incidents, limit their impact and accelerate response times. 


Read: Data privacy Isn’t a Law, It’s a Lifestyle 


2. Review incident detection processes
Which department is responsible for detecting malicious activity such as a cybercrime involving customer data? Who identifies and reports it as an incident? Review the critical junctures where communications and handoffs occur. For example, organizations that comply with HIPAA will find familiarity in privacy requirements. For other businesses, privacy’s rules will be new.

3. Check internal/external communications
Privacy data breaches impact operations and expand outward as bad news travels fast. You will need customer service and public relations’ assistance to proactively manage the fallout. The goal is also to prevent further damage and arm leadership with hard facts they can use to make decisions. All the above require communications.


Use: Information Security Policy Sample Template


4. Assess recovery efforts
After a privacy incident, it’s time to investigate and follow-through on findings. Are you prepared to complete a forensic analysis to determine the origin of the data breach? Are recovery processes effective or could they lead to additional violations? Can you restore data with backups? Update policies, procedures and processes as necessary. Make any changes to prevent the same incident repeating.

5. Ongoing assessments and continuous monitoring
You need a game plan going forward after a privacy data breach. That’s where ongoing assessments and monitoring come in. Assess third parties and processes that handle customer data to better understand the risk level of an incident and make corrections. Rely on continuous monitoring to bridge the gap between assessments and allow time for proactive steps.


Read: Privacy by Design: Why Compliance Should Lead the Data Privacy Charge


Most incident response plans fail because of a lack of testing, outdated procedures, weaknesses in the plan, or a failure to do forensic analysis. These five tips help address incidents involving privacy.

Privacy presents a different challenge. A privacy incident affects customers and often involves third parties, not to mention spreads socially and attracts the media. You need to be proactive, not just reactive, inside and outside of the organization.

Like it or not, privacy regulations are sweeping across the world. The sooner you adapt and prepare for compliance and incidents, the more likely you’ll avoid fines and reputational damage. You’ll be a leader in managing customer data and protecting customers’ privacy.

Learn More About Integrated Risk Management with Lockpath


Chat with a solutions expert to learn how you can take your compliance program to the next level of maturity.



6 Tips to Go From Disaster Recovery to Business Continuity Planning

Most organizations weren’t prepared with a business continuity plan to help them get through the pandemic. So when COVID-19 hit, the most  companies could do was dust off their disaster recovery plans and react. Here are 6 ways to be proactive and shift from disaster mode to a business continuity plan.

Previous/Next Article Chevron Icon of a previous/next arrow. Previous Post

For Out-Of-Control Cyber Threats, There’s CIS Controls

CIS offers cybersecurity best practices, including a set of controls that encompass 20 foundational and advanced cybersecurity actions. Here we’ll look at CIS’s first five controls and examine what each control addresses.

Next Post Previous/Next Article Chevron Icon of a previous/next arrow.