So your recording your incidents in Excel or Word or maybe on Jira / Service Now or whatever your using. Just STOP… You should be aware that fines from data protection authorities can ratchet up 10x when you dont have a competent incident management process. Why is that? PII incidents often contain highly sensitive data and should not be sitting and waiting to be exposed in a spreadsheet or in a relatively open ticket system.
Where should Personal Data Incidents be Stored?
Personal data incident records belong in a dedicated system with strict user access controls and secured database tables which are backed up regularly and available to be queried and reported on for business intelligence / KPI reporting reasons. The drive storage (data at rest) should be encrypted and the encryption keys should be appropriately protected.
Who Might Want to See PII Incident Records?
Remember that there may come a day when a significant data breach actually does happen (God Forbid) and all kinds of scrutiny is piled on you very quickly. You will have to share information with DPA’s or OAG’s about everything that was done with the breach from first detection, to notification to root cause analysis, reports, involved agencies and their interactions and more, this can drag on for years.
Other interested parties maybe Auditors, Certification Bodies, Legal Counsel, Law Enforcement and even data subjects themselves.
What Happens when you Don’t Record Incidents Properly?
Data protection authorites will assess fines exponentially on business who don’t have an effective incident management process and who are deemed hap hazard in recordkeeping. They may form the view that bad internal processes led to a breach in the first place and will be used as such in legal proceedings at scale.
How Long do I Retain Incident Records for?
Records should be retained in line with your legal records retention period as many of your records will be considered in the context of a legal matter.
How Should I Manage Personal Data Incidents?
Personal data incidents including breach information should be stored in a standalone system with a database backend such as this one. You need a data entry form front end for consistent data capture with field information that is good enough to be shared with data protection authorites by matching their requirements for incident reporting.
The system should also be good enough to have different security access levels and reporting features so that you can get useful business intelligence reporting for your ITSM program.
It should also have auditablity features built-in in form of time-stamp information to demonstrate when records were created, updated and by who.
Dont skimp on these incident handling requirements, often the perception of your organizations competency in this area can make the difference between the full weight of privacy law on your back or good will from investigators who want to work with you.