Skip to content
English
Incident Support Customer Portal
Contact Us
  • There are no suggestions because the search field is empty.

Do I legally have to have an Incident Management Plan?

This can depend on interpretation of the Articles in the UK and EU GDPR.  Our view is it is a legal requirement.

Here’s a breakdown of the requirements and why it’s critical to have a robust incident management plan:

1. Legal and Regulatory Obligations

General Data Protection Regulation (GDPR) - EU & UK GDPR

  • Article 33 of the GDPR requires organisations to report a personal data breach to the Data Protection Authority (DPA) within 72 hours if it risks the rights and freedoms of individuals.
  • Article 34 requires organizations to notify affected individuals without undue delay if there is a high risk to their rights and freedoms.
  • While GDPR does not specifically mandate an incident management plan, it implies that organizations must be able to detect, manage, and report data breaches effectively.
    • A well-established incident management plan helps you identify breaches quickly and follow the necessary processes to meet these legal requirements.

Network and Information Systems Directive (NIS Directive) (EU)

  • The NIS Directive applies to operators of essential services (e.g., energy, transport, healthcare) and digital service providers (e.g., cloud computing). It requires organizations to take appropriate technical and organizational measures to manage risks to the security of their networks and information systems.

  • Organizations covered by the NIS Directive must have incident response procedures in place to notify authorities within specific timeframes (usually 24 hours for significant incidents).

  • UK NIS Regulations (Post-Brexit): The UK has adopted similar requirements for operators of essential services and digital service providers under the UK NIS regulations. Having an incident response plan is essential to ensure you meet these requirements.

2. Industry Best Practices

Even though having a formal incident management plan is not specifically mandated by law outside of certain regulations (like GDPR or NIS), it is considered an industry best practice. Standards like ISO 27001 (Information Security Management System) emphasize the need for an incident management process to ensure that organizations can effectively respond to cyber security incidents.

ISO 27001:

  • ISO 27001, which is an internationally recognized information security standard, requires organizations to have a documented incident management procedure in place as part of their broader information security management system (ISMS).
    • This includes procedures for identifying, responding to, and recovering from security incidents (e.g., data breaches, cyber attacks).
    • While not a legal requirement, adherence to ISO 27001 can demonstrate due diligence and commitment to cyber security best practices.

3. Risk Mitigation and Legal Protection

  • An incident management plan helps mitigate risks associated with cyber security events and data breaches.
  • If an incident occurs and you do not have a plan in place, your organization might be ill-prepared to act swiftly, potentially leading to more severe consequences (financial, reputational, legal).
  • Not having a structured approach to incident management could be seen as a failure in your duty to protect personal data, particularly under GDPR or industry-specific regulations, and could result in fines, penalties, or legal actions.

4. Insurance Requirements

  • Many organizations require cyber insurance to protect against the financial fallout of a breach.
    • Insurers often require businesses to have an incident response plan in place as part of the terms and conditions for coverage.
    • Failure to comply with these terms could result in claims being denied or reduced.

Conclusion

While having an incident management plan is not explicitly mandated by law in all cases, certain regulations (such as GDPR and the NIS Directive) do require organisations to respond effectively to data breaches and security incidents. Additionally, best practices and industry standards emphasise the importance of having a plan in place.

So, while it may not be a strict legal requirement for every business, not having one could leave you vulnerable to legal consequences, reputation damage, and financial losses. Therefore, it is in your best interest to have a well-defined incident management plan, both for legal compliance and operational effectiveness.