The data breach response team
The only thing worse than a data breach is a lousy breach response, which can convert an otherwise manageable crisis into a full-blown debacle. To hinder organizations from making more mistakes which can endanger affected data subjects even more, NPC Circular 16-03 has mandated personal information controllers (PIC) and processors (PIP) to assemble a data breach response team way ahead of any incident.
Doing so allows you not only to carefully evaluate potential team members for their competence and disposition but also shapes the team in accordance with your organization’s resources and actual needs.
The goal of the data breach response team is to ensure timely action in the event of a security incident or personal data breach. Under NPC Circular 16-03, the team is tasked to implement the organization’s security incident management policy; manage its security incidents and personal data breaches; and, facilitate compliance with all pertinent personal data breach management requirements as mandated under the Data Privacy Act, its IRR, and NPC issuances.
Regardless of an organization’s resources, there are a few roles and functions the team members must perform. From these, you can decide to combine or divide certain functions according to your needs and proceed with your staffing decisions.
Before deciding on the exact team composition, however, you should first decide whether or not to include the data protection officer (DPO) in the team, which the Circular has left to management discretion.
The Circular does not prescribe how many members the team should be composed of. It does, however, prescribe that it must be headed by a leader with decision-making functions. Other than this, there are four other main roles that you may consider, namely, chief investigator, communications head; team documenter; timeline coordinator; and legal representative.
Team leader — The Circular basically describes this team member as someone who has authority to make “immediate decisions regarding critical action, if necessary.” He or she,
The goal of the data breach response team is to ensure timely action in the event of a security incident or personal data breach.
coordinates all activities of the team, and keeps the team focused on damage minimization and quick recovery.
Chief investigator — This member is responsible for collecting and analyzing evidence, determining root cause, and implementing system and service recovery.
Communications head — In charge of messaging and communications with all audiences, the Communications head prepares the working draft of NPC and data subject notifications, if needed. He or she should also ensure content coordination for the drafting of the full breach report.
Team documenter — This member documents all actions and decisions the data breach response team for legal and other purposes.
Timeline coordinator — Monitoring the status and progress of the data breach response, the timeline coordinator generates and updates a reliable timetable the team can use to structure and coordinate their deliverables, including reportorial requirements.
If you have questions or concerns, you may contact the National Privacy Commission via 234-22-28 (local 114) or email info@privacy.gov.ph.