Reference: https://www.isaca.org/resources/isaca-journal/issues/2020/volume-4/incidentresponse-models
The primary objective of privacy incident response is to mitigate the impact of privacy incidents on
the organization and the data subjects. Privacy incident response is a process that involves
identifying, containing, analyzing, resolving, and learning from privacy incidents that involve
personal data. Privacy incident response aims to reduce the harm and liability that may result from
privacy incidents, such as reputational damage, regulatory fines, legal actions, or loss of trust. Privacy
incident response also helps to improve the organization’s privacy posture and resilience by
implementing corrective and preventive measures.
While notifying data subjects impacted by privacy incidents may be a legal or ethical obligation, it is
not the primary objective of privacy incident response. Rather, it is one of the possible steps or
outcomes of the process, depending on the nature and severity of the incident. Similarly, reducing
privacy risk to the lowest possible level or optimizing the costs associated with privacy incidents are
desirable goals, but not the main purpose of privacy incident response.
Reference: Privacy incidents and breaches, DHS Privacy Incident Handling Guidance, Incident and
Breach Management
