An incident response plan is your playbook for when things go wrong — a data breach, a ransomware attack, an AI system producing harmful outputs, or a cloud provider outage. Under GDPR, you must report certain data breaches to the supervisory authority within 72 hours. Without a plan, those 72 hours disappear in chaos.
How to build your plan:
- Detection: Define how incidents are discovered. Set up monitoring alerts, establish a reporting channel (e.g. a dedicated Slack channel or email), and make clear what qualifies as an incident vs. a normal issue.
- Assessment and triage: Who decides the severity? Create a simple classification: critical (data breach, system compromise), high (service disruption), medium (suspicious activity), low (minor anomaly). Assign an incident lead per severity level.
- Containment: Define immediate actions per incident type. For a data breach: isolate affected systems, revoke compromised credentials, preserve evidence. For an AI incident: disable the affected feature, switch to a fallback.
- Notification: Know your legal obligations. GDPR: notify the Dutch DPA within 72 hours if personal data is affected. NIS2: notify CSIRT within 24 hours. Also plan customer communication — silence erodes trust faster than the incident itself.
- Recovery and review: Restore normal operations, then conduct a blameless post-mortem. Document what happened, what worked, what did not, and update your plan accordingly.
The NCSC incident response guidance provides a practical starting point. Tidal Control helps you create, maintain and test your incident response plan, and provides workflows for tracking incidents and generating the documentation needed for regulatory notifications.