Incident & Breach Management

Automated Incident Notification Compliance Workflow

Relevant GDPR Articles

  -  Article 33: Notification of a personal data breach to the supervisory authority

  -  Article 34: Communication of a personal data breach to the data subject


OneTrust Enables Enterprises to Meet Breach Compliance Requirements

Data Incident and Breach Notification Management

Articles 33 and 34 of the General Data Protection Regulation (GDPR) require data controllers to notify data protection authorities (DPA) in the event of a personal data breach. The GDPR requires data controllers to notify the supervisory authority about personal data breaches when a personal data breach is likely to result in a risk to the rights and freedoms of natural persons. Personal data breaches need to be communicated to individuals if there is a high risk to the rights and freedoms of natural persons.

OneTrust Incident and Breach Management

Because of GDPR’s 72-hour notification requirements to the supervisory authority and under certain circumstances an additional notification to the data subjects, it’s critical for organizations to have a systematic process in place to meet these requirements.

With OneTrust, maintain incident and breach records, evaluate against notification requirements, and analyze overall risk with connections to the underlying data inventory. Build a systematic process to document the incident, understand if it has resulted in a breach, analyze harm to the individual and determine if a notification to the supervisory authority or the data subject.

Prepare an Incident Management Workflow

GDPR Article 33 Notification Template

Select the GDPR incident questionnaire from the OneTrust template gallery to begin your incident reporting documentation process. Leverage the template as-is or customize using drag-and-drop interface.

Stakeholder Assignment

Use workflow management to automatically assign sections of the incident notification questionnaire to the correct person or department within your organization.

Incident Classification & Risk

Document Data Incident Type

Through the OneTrust Incident and Breach tool, classify the type of incident then map it to existing data subjects and data types.

Measure Organizational Risk

Since the type of data involved in an incident have different requirements under the GDPR, use the OneTrust Incident Management tool to determine the risk of the harm to data subject and whether the incident requires notification to both the data protection authority and data subject, or just to the DPA.

Reporting & Metrics

Regulatory Record-Keeping

Maintain a full audit log of an incident or breach in the event of a regulator inquiry. Provide internal and external stakeholders full metrics and risk assessment for full transparency of each event.

Why OneTrust Incident & Breach Management?

  • Deep regulatory guidance-based privacy research, reporting, and built-in templates
  • Option for self-service deployment or additional support from OneTrust implementation team
  • Fully scalable solution for small and medium businesses to large multinational enterprises
  • Multi-lingual product translated by OneTrust’s in-house, privacy-trained localization team
  • Flexible and modular pricing structure to meet program maturity and budgetary uncertainties
  • Out-of-the-box ready solution with a highly tailorable and customizable platform
  • Deployment flexibility in EU cloud, US cloud, or on-premises with the ability to migrate
  • Available as stand-alone module or as part of OneTrust’s comprehensive and integrated platform