Privacy Monitoring and Incident Management (MIM)

Best Practices

  • Ensure that the organization has complete understanding and visibility over the personal information that is being transacted in its processes, activities, functions and projects
  • Map the compliance requirements that are specific to the privacy related breaches. Some of the data protection regulations put stringent requirements for data breach notification
  • Define the type of privacy specific incidents after considering the data leakage scenarios. For each type of incident, define the characteristics, and their severity and impact
  • Identify the detection requirements of an organization’s privacy initiatives that help the organization identify privacy specific incidents
  • Identify the information sources that could be useful to detect the privacy compromise.
  • Ensure that a set of business rules exist that help to detect, identify, analyze and declare security incidents from the information collected from different sources
  • Prepare an incident management plan for all type of incidents. This plan usually has elements such as incident identification and notification, escalation matrix and processes, remediation measures and processes, incident reporting, root cause analysis and knowledge management
  • Ensure that the roles and responsibilities for the privacy incident management process are defined and documented
  • Ensure that the technical and tactical measures are deployed to detect or report the privacy incidents
  • Ensure that the scope of privacy monitoring is extended to all information sources that reveal the information on how the personal data is transacted in the organization
  • Ensure that there exists a significant level of intelligence over privacy breaches happening across the globe and their relevance in the organization’s environment.
  • Ensure that a process exists to notify the incidents or data breaches to all the stakeholders such as the privacy function, corporate compliance function, the owner of information, regulatory authorities and law enforcement bodies wherever required
  • Ensure that the privacy monitoring and incident management is in line with the data breach notification requirements of the organization. In case the organization is processing the data on behalf of any other organization, which is the owner of data, it should be able to support the breach notification requirements of that organization
  • Ensure that the knowledge generated from managing the privacy incidents and the lessons learnt are managed effectively for future use

DSCI Privacy Framework