Want to share this?

Once a data breach occurs, the clock starts ticking. In the rush of responding to a data privacy incident, attention is directed towards investigation, assessment, and notification in order to meet regulatory or contractual deadlines. Privacy incident documentation can be considered a by-product of the process. However, when the initial rush is over, documentation reveals itself as the key to demonstrating trustworthiness.

In last week’s session of The Privacy Collective, Doug Kruger, VP of Strategic Accounts at RadarFirst, took a deep dive with Jodi Daniels, Founder, CEO and Consultant at Red Clover Advisors, into this very important stage of the incident management lifecycle.

What did you miss from the latest session?

1. How to build trust through well-documented privacy incident management 

2. Why incident documentation provides credibility with regulators and the public

3. Best practices for successful privacy incident documentation 

4. Resources for effective incident documentation

With the average cost of a data breach in 2022 at $4.35 million, there’s a lot on the line when an incident occurs. Fines and penalties are only part of the greater damage brought on by ineffective documentation. 

Building trust with customers is a long journey – one that can quickly “return to start” depending on how your organization handles data breaches and incidents. Reputation is something you can’t build overnight. Only through effective privacy incident documentation can you build trust and protect your organization.

If documentation is so vital to an organization, how do most businesses document their privacy incidents? Well, we took a live poll during the session and received the following results:

30% answered internally with an Excel spreadsheet

57% answered through a third-party software solution

13% answered “not sure”

More than half of respondents rely on the help of a third-party solution. The incident lifecycle consists of 10 highly detailed stages, which can be challenging for maturing privacy programs. Many organizations have embraced third-party solutions to ensure consistency in documentation and repeatability of incident response processes.

The incident lifecycle is not a linear path – you may learn new pieces of information at any given time, requiring you to revisit previous stages to finalize your breach notification decision. This is a big challenge for organizations without a centralized incident management approach. Having a collaborative and flexible documentation solution in place is essential.

“With no [privacy incident] documentation, you have a massive he said-she said game. That typically doesn’t go well, and the operator at the end gets a completely different story. When you have a solid method on how to capture the information, everyone is clear on what is happening and there is one consistent theme and story.” — Jodi Daniels

Team collaboration is a major part of documentation. Jodi emphasizes the importance of having a cross-functional team and clearly assigned roles. Everyone has a different role to play and it’s important that privacy incident documentation is visible and accessible to the right people. Jodi continues, “you need to identify the right words, the right way, and the right people to document.”

Jodi and Doug caution to be mindful of where this information will be stored and how it will be accessed. You’ll want to know exactly who the editors are and who is the owner.

We covered how to build trust through well-documented incident management 

When an organization has an effective incident response plan in place, consumers and potential business partners are more trusting of the brand. 

“When an organization isn’t trying to trick the public, is documenting and evaluating common themes … as an end customer, that level of trust is going to be connected.” — Jodi Daniels

Not only does effective privacy incident documentation mitigate risk and reputational harm by preventing incidents, it also proves to partnering businesses that you’re accountable and prepared. If an incident does occur and requires notification, your company has clear steps on how to proceed and who to notify.

Analyzing incident documentation on a continued basis helps identify areas for improvement and opportunities to mature your organization’s security posture. For example, human error remains the largest cause of privacy incidents

Jodi suggests using uncovered data like this to help evaluate where you need to increase employee training or automation. By reporting incident trends and metrics to your board, you can make a case for an increased privacy program budget.

Why privacy incident documentation provides credibility with regulators and the public

Can proper privacy incident documentation affect how an organization is perceived by regulators? Absolutely. We saw the impact of ineffective incident management and the failure to notify consumers recently in the first public CCPA enforcement

Regulators are looking at thoroughness and the detailed thought process of how you arrived at your breach notification decision. They want documented facts. 

What type of incident took place?

Was it notifiable? Was notification delivered within the appropriate response window?

How long did it take your organization to come up with the response plan?

Was there training implemented afterwards? What steps did your organization take to ensure it does not happen again in the future?

When you have proper incident documentation, your response process and decisioning is consistent. You’re proving to regulators that you have a documented burden of proof.

Doug shared a great example that summarizes what regulators are looking for at a very fundamental level. 

When we were in fourth grade in our math class, the teacher would say, “ I’m thrilled that you got your long division answer correct, but I’m more interested in seeing how you got the answer. I’d almost rather see you get it wrong, as long as you can show me your process – the steps that you took.”

Best practices for successful incident documentation

When asked if she has any advice for other privacy leaders in their approach to documentation, Jodi shared,

 Preparation is the key, like anything. The more prepared you are, the better you will be able to respond. If you have a plan and it needs a little digital dusting, now is a good time. Figure out who are your key players, how will you document, who will be responsible, and in what place will you do it. All of those questions are perfect so you don’t have to worry about it when you have a time clock ticking at you.

“The biggest thing is preparation. The more prepared you are, the better you’ll be able to respond.” – Jodi Daniels

Implementing regular tabletop exercises for your privacy team will help your organization plan for the unexpected. These exercises “teach you how to think.” By acting through new scenarios, you learn how to quickly pivot when new information becomes available and how to apply it.

Resources for Effective Privacy Incident Documentation

Interested in learning more on building trust through effective incident documentation? Read our free guide, How To Fix an Inconsistent, Manual and Painful Incident Response Process.

Download the guide to learn more about:

Ensuring consistency when assessing incidents

Making incident response processes efficient, scalable, and cost-effective

Keeping up with changing regulatory deadlines

how to fix a broken incident response process radarfirst
How to Fix an Inconsistent, Manual and Painful Incident Response Process

Watch The Privacy Collective On-Demand!