A Beginner's Guide to Incident Response: Building Your Incident Response Plan

Featured Image

Many small businesses will have to build their incident response plan from scratch, which means taking a significant step towards complying with privacy laws, like the GDPR and CCPA. However, many are unsure of where and how to start. With these five steps, SMBs can build an incident response plan to ensure they can handle a breach quickly, efficiently, and with minimal damage.  

Register for the Webinar: How to Build Your Incident Response Plan on June 11th, 2020 at 1pm ET / 10am PT


An essential phase of an incident response plan is preparing your business and systems to detect, analyzeand mitigate incidents. At this stage, you complete the following actions. 

Outline Definitions. Start by defining the parameters of an incident or breach [link phrase to blog 1] within your organization. These definitions will help determine the differences between the two, in addition to its level of impact and determining factors for escalation. Some question you may answer include:  

  • What’s an incident?  
  • What’s a breach? 
  • What type of event will trigger your response plan?  
  • What roles do you have as an organization – are you a data processor, or controller? 
  • What contractual terms generally may be triggered by a breach on your side? 
  • Will unsuccessful attacks qualify? 
  • What data exists, and where is it stored?  
  • What is the value of your data?  
  • Who are your business partners’ contact persons and channels in case of a breach? 

Although definitions may vary, how you define a breach will bring context to your efforts to weigh the potential impact on your business 

Form Your Incident Response TeamNext, you’ll want to identify members of your company that will make up your incident response teamThe goal of this team is to minimize impact and quickly restore operations following a privacy or security incident. Identifying your incident response team can help your business respond to events quickly and efficiently. They will be responsible for: 

  • Maintaining the privacy and security of personal data 
  • Documenting the extent, priority, and impact of a breach 
  • Identifying compromised assets 
  • Analyzing incidents to determine the required and appropriate follow-up action 
  • Conducting root cause analysis 
  • Completing mitigation tasks following an incident or breach 
  • Communicate organization status to team 

Small business owners should also consider obtaining help from outside sources to assist with handling breaches that are too large for your incident response team to handle.  

Prepare Your Staff. Once you put together your incident response team, you must train them on how to mitigate and respond to an incident once it occurs. Training will help each member of your IR team to identify threats to security and personal data, as well as understand their role in maintaining company securityDuring training, cover policies and processes crucial to maintaining and improving security, such as technology use, data handling procedures, data security best practices, and, of course, your incident response plan. 


Phase two of your incident response plan involves developing a fast and effective method of detecting and internal reporting of privacy and security incidents. Everyone in your business should have a basic understanding of what an incident is and how to report it to the incident response team. Here you’ll want to identify and assess the incident, gather evidence, as well as determine it’s the nature and impact of the event to decide if escalation is necessary. 

For SMBs, this may involve continuous monitoring and manually looking for threats to personal data, which can be a tedious task. However, with an automated compliance tool, like OneTrust Pro Privacy Assessments, your incident response team can conduct regular assessments of your organization to quickly reveal and flag areas where your data could be at risk.  


Now that you’ve established a method of identifying incidents, how will your team respond? Building an effective plan includes defining a clear course of action once an incident occurs. This phase should involve procedures that immediately target and contain an incident or breach to prevent further damage. These include: 

  • Intercepting unauthorized actions 
  • Shutting down breached systems 
  • Revoking or changing access 
  • Resolving weak points in security


Once you’ve contained the issue, your next step is to mitigate the breach. In this portion of your plan, you’ll want to outline how your incident response team will combat all traces of a threat, including how your data subjects can protect themselvesAs a growing business, you might not have an expert on your incident response team to handle this portion of your planIn exchangeyou can look to supervisory authorities and industry experts for guidance on mitigation best practices and whether to inform affected data subjects and mitigation best practices. 

You will also need to address processes for notifying data subjects and supervising authorities. Prompt notification of a breach can help individuals mitigate damage by taking action to protect themselves. The way you formulate your notification to data subjects and authorities will heavily rely on specific breach notification requirements based on related jurisdictions. It’s best to get an understanding of which notification requirements you should meet based on the locations you operate in and the origins of the data you process 

For example, the GDPR requires notice to supervisory authorities only when a breach result in a risk to the rights of individuals. Article 33(1) of the GDPR requires controllers to notify supervisory authorities of a data breach “without undue delay and, where feasible, not later than 72 hours after becoming aware” of it. Still, there’s a possibility that you’ll have more than one notification obligation that you’ll have to meet. Depending on your jurisdiction, you may be obligated to provide notice under other laws, such as HIPAAePrivacy, and more, in addition to notifying multiple authorities. 


The recovery phase of your incident response plan is going to be your chance to bring business operations back to normal. The goal is to establish follow-up action that will ensure systems are restored and show no signs of compromise. Planning and documenting these steps ahead of time can help to shorten recovery time and minimize losses. This final section will need to include 

  • How to restore systems 
  • Key resources and technology 
  • Staff members required to carry out recovery tasks 
  • Lessons Learned – Plan to ensure a breach does not occur in the future 

Privacy and security breaches are an ordeal that no growing business wants to experience. With these five steps, small and mid-size business owners can plan in case of a significant attack or breach and maintain the privacy and security of their data. 

Learn how OneTrust Pro Privacy Incident Response can help you rapidly investigate and dynamically assess incidents using context-aware workflows and automated tasks.

Register for the Webinar: How to Build Your Incident Response Plan on June 11th, 2020 at 1pm ET / 10am PT


Onetrust All Rights Reserved