Sharing Information with stakeholders

The organisation should have clear communication channels for event reporting:

• Establish and maintain adequate communication channels for security event reporters, ensuring that:
• A common point of contact for reporting events is identified and communicated to all relevant parties.
• Different reporting channels are available based on the perceived severity of events, including real-time communication options for significant emergencies and asynchronous methods (e.g., tickets, email) for less urgent matters.

Organisation should also consider the possibility of external reporting. This could mean having a system to handle security event reports from external parties, including:

• An externally accessible and well-communicated method for reporting security events.
• Defined procedures for responding to and addressing security event reports from external sources.

The organisation should also ensure that the mechanisms and information for reporting incidents are easily accessible to all relevant reporters and establish a feedback procedure to provide timely responses and updates to those who report security events, ensuring they are informed of the outcomes and any necessary follow-up actions.

The controller must assess the risk of the personal data breach to the data subjects. The assessment must take into account, for example, the following:

• How likely is it that the data will be used to cause harm?
• What harm could the data be used for (e.g. identity theft, fraud, psychological distress, humiliation or reputational damage)?
• Nature, sensitivity and amount of personal data
• How easy it is to identify the registrant using the data?
• Are there many children or otherwise vulnerable people among the registrants?

The risk assessment affects the urgency and scope of reporting a breach.

In the event of an incident, communication with internal and external stakeholders must be in accordance with the incident response plan.

If it is appropriate from the point of view of the service provided by the organization, the organization will notify the users of its services without delay of significant disruptions that are likely to negatively affect the delivery of the services in question. 

A disruption is significant when at least one of the following occurs:

• disruption can cause a serious disruption in the operation of services or serious financial losses for the service provider
• disruption can cause significant material or non-material damage to related people or other organizations

The organization shall have procedures in place to communicate effectively with stakeholders and other participants during continuity plans and survival procedures.

Communication plans related to continuity plans shall include:

• Responsible persons, related stakeholders and other necessary contact information
• Clear criteria for the situation where continuity communication will be implemented
• A clear description of the staff implementing the continuity communication in each situation and the recipients to whom the communication will be sent
• References to the templates and tools to be used