Privacy Incident Management Simplified

A security incident is the unintentional disclosure of regulated data, whether by accidental or malicious causes. For example, an attempted phishing attack or social engineering attack. A data breach is when a security incident results in the disclosure of personally identifiable information (PII) or protected health information (PHI) to an unauthorized party. While all data breaches are privacy incidents, not all incidents are breaches.

• What are some examples of a privacy incident?
  • Some examples of a privacy incident can include: a laptop containing PII is stolen, an email with PII is sent to the wrong person, or a box of documents with PII is lost during shipping.

• What is a security incident under GDPR?
  • According to the GDPR, “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
    

A successful privacy program should simplify the incident management lifecycle to reduce risk for your organization and build trust for your brand. The program should help your team arrive at consistent and reliable breach decisioning every time. A mature privacy program should be intelligent – capable of automatically mapping the privacy landscape and agile, to stay ahead of all relevant laws and regulations.

There are 10 steps to managing a privacy incident: Discovery; Triage and Investigation; Regulatory Research; Third-Party Contractual Obligations; Team Collaboration; Risk Assessment; Breach Decision; Remediation and Notification; Prevention and Analysis; Benchmarking.

Depending on where your organization does business, or manages data from, the most relevant regulations will change. Global privacy regulations include the: EU General Data Protection Regulation (GDPR), EU ePrivacy Directive, the Personal Information Protection and Electronic Documents Act of Canada (PIPEDA), China’s Personal Information Protection Law (PIPL), Australia’s Privacy Act, and Japan’s Act on the Protection of Personal Information (AAPI).

The United States does not have a singular law that covers the privacy of all types of data, though the American Data Privacy and Protection Act (ADPPA) is making rounds through the House of Representatives, and the executive branch recently signed into law the Cyber Incident Reporting for Critical Infrastructure Act, which involves security reporting for a wide range of public and private entities.

In recent years several states have followed in California’s footsteps, modeling laws off the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) including Utah, Colorado, Virginia, and Connecticut.  Finally, several federal laws contain privacy regulations, including HIPAA, FCRA, FERPA, GLBA, ECPA, COPPA, and VPPA.

And separate from this long list of privacy laws, every US state and most territories have laws that specify entities’ breach notification obligations, when the personal information of citizens has been subject to unauthorized disclosure.

Learn more from the United Nations Office on Drugs and Crime.

With patented, one-of-a-kind technology, RadarFirst synthesizes over 130,000 possible risk factor combinations to deliver consistent decisioning that simplifies hours of work into the click of a button. With intelligent incident management as part of your privacy strategy, you can embrace digital transformation, accelerate efficiency, and build consumer trust.

• What is the purpose of digital transformation?
  • Digital transformation for privacy helps alleviate the painstaking tasks of manually resolving data privacy and security incidents in spreadsheets. With the right technology partner, your privacy team can spend less time chasing compliance and researching regulations, and more time maturing your program.