Last updated: 2026-04-06
Guide
Incident Response¶
Privacy incidents require documented response procedures and potential regulatory notification. This guide covers regulatory requirements and how Dxtra supports incident documentation.
Customer Responsibility
Dxtra provides compliance issue tracking for documentation purposes. Organizations must develop and maintain their own incident response procedures, notification processes, and security monitoring.
Regulatory Notification Requirements¶
GDPR (Articles 33-34)¶
Supervisory authority notification:
- Timeline: 72 hours from becoming aware of breach
- Trigger: Personal data breach likely to result in risk to individuals
- Content: Nature of breach, categories/numbers affected, DPO contact, likely consequences, mitigation measures
Individual notification:
- Timeline: Without undue delay
- Trigger: High risk to rights and freedoms of individuals
- Content: Clear description, DPO contact, likely consequences, mitigation measures
CCPA¶
- No specific notification timeline to attorney general
- Individual notification required for unauthorized access to unencrypted personal information
- Maintain records for compliance audits
State Breach Notification Laws¶
US state laws vary, typically requiring:
- Notification within 30-90 days
- Notification to state attorney general
- Notification to affected individuals
- Credit monitoring in some states
Compliance Issue Tracking¶
Dxtra provides compliance issue tracking through the dashboard. Each issue includes:
| Field | Description |
|---|---|
| Status | Current status (open, in progress, resolved) |
| Priority | Issue priority level (high, medium, low) |
| Description | Issue details and investigation notes |
| Dismissed | Whether the issue has been reviewed and dismissed |
| Timestamps | Creation and last update dates |
Access Control¶
Compliance issue access is restricted by role:
| Permission | Roles |
|---|---|
| Create, update, and view | Admin, Owner, Business Owner, Data Protection Officer |
| View only | Data Controller, Auditor / Regulator |
| Delete | Admin, Owner, Business Owner |
Incident Response Workflow¶
Phase 1: Detection and Assessment¶
- Identify incident -- Log potential incident as compliance issue in the dashboard
- Initial assessment -- Evaluate scope and potential impact
- Classify severity -- Set priority (high/medium/low)
- Document -- Record details in the issue description
Phase 2: Investigation¶
- Scope determination -- Identify affected data and systems
- Impact analysis -- Assess risk to data subjects
- Evidence collection -- Gather logs and forensic data
- Update records -- Document findings in the compliance issue
Phase 3: Notification Decision¶
Based on investigation, determine notification requirements:
| Risk Level | DPA Notification | Individual Notification |
|---|---|---|
| Low | Document internally | Not required |
| Medium | Consider voluntary notification | Consider notification |
| High | Required within 72 hours | Required without undue delay |
Phase 4: Response and Recovery¶
- Containment -- Implement immediate controls
- Remediation -- Address root cause
- Recovery -- Restore normal operations
- Documentation -- Update compliance issue with actions taken
Phase 5: Post-Incident¶
- Lessons learned -- Document improvements
- Policy updates -- Revise procedures if needed
- Close issue -- Update status to resolved
- Audit trail -- Maintain records for future reference
Notification Documentation¶
DPA Notification Content¶
When notifying supervisory authorities, document:
- Nature of breach (categories of data, approximate numbers)
- Name and contact details of DPO
- Likely consequences of breach
- Measures taken or proposed
Individual Notification Content¶
When notifying affected individuals:
- Clear, plain language description
- Name and contact of DPO
- Likely consequences
- Measures taken and recommended actions
Risk Assessment¶
Factors to Consider¶
| Factor | Low Risk | Medium Risk | High Risk |
|---|---|---|---|
| Data type | Contact info | Financial data | Health, biometric, children's data |
| Volume | <100 individuals | 100-10,000 | >10,000 |
| Harm likelihood | Technical controls effective | Potential for misuse | High probability of harm |
| Population | General public | Standard customers | Vulnerable groups |
Common Incident Scenarios¶
Unauthorized Access¶
- Log compliance issue with description of access detected
- Assess scope: what data was accessible?
- Determine if data was actually accessed or exfiltrated
- Assess notification requirements based on risk
- Document response actions
Data Exposure¶
- Log compliance issue with exposure details
- Identify duration of exposure
- Determine if data was accessed during exposure
- Implement containment measures
- Assess notification requirements
Vendor Breach¶
- Receive notification from vendor
- Log compliance issue linked to processor
- Coordinate with vendor on impact assessment
- Determine your notification obligations
- Document joint response
Implementation Checklist¶
- Establish incident response team with assigned roles
- Document internal escalation procedures
- Create notification templates for DPA and individuals
- Define risk assessment criteria
- Train staff on incident identification
- Test response procedures periodically
- Maintain contact list for legal, DPO, and management
Common Questions¶
How do we track the 72-hour notification deadline?¶
Monitor the compliance issue creation timestamp. The 72-hour deadline starts from when the organization becomes aware of the breach.
Can we generate notification documents from Dxtra?¶
Use compliance issue records as source data for drafting notification documents. Dxtra does not generate notification templates automatically.
How do we link incidents to affected data subjects?¶
Document affected data subject information in the compliance issue description. Use the Activity Log to identify affected processing activities.
For Auditors and Regulators¶
What Auditors Can Access¶
| Record Type | Access | Description |
|---|---|---|
| Compliance issues | Read-only | Incident records with status and resolution |
| Timeline evidence | Read-only | Created/updated timestamps for 72-hour compliance |
| Response actions | Read-only | Documented containment and remediation steps |
Related Documentation¶
- GDPR Implementation -- GDPR Articles 33-34 breach requirements
- Compliance Overview -- All compliance features
- Security and Compliance -- Security practices
- Data Controller Setup -- Initial configuration