WS-3 · D-19 / D-20

Incident Response & Staff Training

GDPR breach response runbook, on-call rotation, tabletop drill record and mandatory training curriculum.

Plan version
v2.4
last review 12 Aug
Tabletop drills
4 / yr
last drill 12 May
Staff trained
92%
all-staff completion
Notification SLA
72h
GDPR Art. 33
GDPR Article 33: personal data breaches must be notified to the lead supervisory authority within 72 hours of becoming aware, where feasible. Article 34 requires notification to affected data subjects when the breach is likely to result in high risk.

7-phase breach response sequence

  1. 1

    Detect

    0–15

    SIEM auto-alert → on-call security engineer paged via PagerDuty. Triage severity using NIST SP 800-61.

  2. 2

    Contain

    15–60

    Isolate affected systems, revoke compromised credentials, rotate secrets in AWS Secrets Manager, snapshot evidence.

  3. 3

    Assess

    1–4h

    Forensic team scopes data categories impacted, identifies data subjects, reviews access logs and IDS evidence.

  4. 4

    Notify

    4–72h

    DPO submits notification to lead supervisory authority (ICO) within 72h. Inform affected data subjects when high risk.

  5. 5

    Eradicate

    1–7d

    Patch root cause, redeploy clean infra, run validation scans, force-rotate user sessions and API tokens.

  6. 6

    Recover

    1–14d

    Restore from validated backups, monitor for re-occurrence, communicate restoration status via status page.

  7. 7

    Review

    14–30d

    Post-incident review (blameless), update runbook & training, regulatory follow-up, board-level reporting.