Incident & Breach Management
Automated Incident Notification Compliance Workflow
Relevant GDPR Articles
- Article 33: Notification of a personal data breach to the supervisory authority
- Article 34: Communication of a personal data breach to the data subject
Data Incident and Breach Notification Management
Articles 33 and 34 of the General Data Protection Regulation (GDPR) require data controllers to notify data protection authorities (DPA) in the event of a personal data breach. The GDPR requires data controllers to notify the supervisory authority about personal data breaches when a personal data breach is likely to result in a risk to the rights and freedoms of natural persons. Personal data breaches need to be communicated to individuals if there is a high risk to the rights and freedoms of natural persons.
OneTrust Incident and Breach Management
Because of GDPR’s 72-hour notification requirements to the supervisory authority and under certain circumstances an additional notification to the data subjects, it’s critical for organizations to have a systematic process in place to meet these requirements.
With OneTrust, maintain incident and breach records, evaluate against notification requirements, and analyze overall risk with connections to the underlying data inventory. Build a systematic process to document the incident, understand if it has resulted in a breach, analyze harm to the individual and determine if a notification to the supervisory authority or the data subject.
Prepare an Incident Management Workflow
GDPR Article 33 Notification Template
Select the GDPR incident questionnaire from the OneTrust template gallery to begin your incident reporting documentation process. Leverage the template as-is or customize using drag-and-drop interface.
Use workflow management to automatically assign sections of the incident notification questionnaire to the correct person or department within your organization.
Incident Classification & Risk
Document Data Incident Type
Through the OneTrust Incident and Breach tool, classify the type of incident then map it to existing data subjects and data types.
Measure Organizational Risk
Since the type of data involved in an incident have different requirements under the GDPR, use the OneTrust Incident Management tool to determine the risk of the harm to data subject and whether the incident requires notification to both the data protection authority and data subject, or just to the DPA.
Reporting & Metrics
Maintain a full audit log of an incident or breach in the event of a regulator inquiry. Provide internal and external stakeholders full metrics and risk assessment for full transparency of each event.
Why OneTrust Incident & Breach Management?
- Deep regulatory guidance-based privacy research, reporting, and built-in templates
- Option for self-service deployment or additional support from OneTrust implementation team
- Fully scalable solution for small and medium businesses to large multinational enterprises
- Multi-lingual product translated by OneTrust’s in-house, privacy-trained localization team
- Flexible and modular pricing structure to meet program maturity and budgetary uncertainties
- Out-of-the-box ready solution with a highly tailorable and customizable platform
- Deployment flexibility in EU cloud, US cloud, or on-premises with the ability to migrate
- Available as stand-alone module or as part of OneTrust’s comprehensive and integrated platform