Certified Information Privacy Manager (CIPM) — Question 177

While trying to e-mail her manager, an employee has e-mailed a list of all the company's customers, including their bank details, to an employee with the same name at a different company.

Which of the following would be the first stage in the incident response plan under the General Data Protection Regulation (GDPR)?

Answer options

• A. Notification to data subjects.
• B. Containment of impact of breach.
• C. Remediation offers to data subjects.
• D. Notification to the Information Commissioner’s Office (ICO).

Correct answer: B

Explanation

The first step in an incident response plan under GDPR is to contain the impact of the breach, which involves taking immediate actions to limit any potential damage. Notification to data subjects, remediation offers, and notifying the ICO are important steps, but they come after addressing the breach's immediate effects.