How to Use the Privacy Incident Assessment Worksheet

• Understand the Brackets: [Bold Black Brackets] = Mandatory fields/decision points you must complete during the incident. [Italic Gray Brackets] = Examples/guidance showing the expected level of detail. Replace with your actual incident data or delete if not applicable.
• Time-Sensitive Use: This is a live incident response tool. Fill it out in real-time as facts emerge. Accuracy and timeliness matter more than initial completeness.
• Cross-Reference: Aligns with PRI-002 (Incident/DSAR Log), PRI-004 (DPA), and your internal Incident Response Playbook.

Before or during the assessment, clarify these operational points:

• When did awareness occur? The 72-hour GDPR clock starts when any employee becomes aware, not when the DPO is notified.
• What is our legal role? Are we Controller, Processor, or Joint Controller? This dictates notification duties, timelines, and third-party coordination.
• What data & jurisdictions are impacted? Cross-border triggers (EU, UK, US states, APAC) change regulatory obligations and parallel notification paths.
• Are safeguards intact? Was data encrypted? Were keys compromised? This directly determines whether you can exempt subject notifications under GDPR Art 34.

Every section includes [italic gray sample text] to guide you. Here’s how to apply it:

• 1Section 2: Incident Details & 72-Hour Countdown
  Purpose: Locks in the factual baseline and starts the regulatory clock.
  Action: Record detection time, awareness time, and calculate the strict 72-hour DPA deadline. Use the countdown table to track compliance even if forensic details are pending.
• 2Section 2.2: Incident Classification Matrix
  Purpose: Categorizes the breach dimension (Confidentiality, Integrity, Availability).
  Action: Check all applicable dimensions using the Yes / No brackets. Multi-dimension breaches typically trigger higher risk scoring.
• 3Section 3: Risk Assessment & Quantitative Scoring
  Purpose: Moves from subjective judgment to defensible risk calculation.
  Action: Evaluate qualitative risk factors, then use the 1–5 scoring table to calculate a weighted risk score. Thresholds: Low (≤8), Medium (9–15), High (≥16). Document your evidence in the Assessment column.
• 4Section 4: Notification Determination & Cross-Border Impact
  Purpose: Maps regulatory obligations based on risk score and geography.
  Action: Decide DPA vs. subject notification requirements. Map affected jurisdictions, determine One-Stop-Shop applicability, and check US state AG/credit monitoring triggers.
• 5Section 4.2–4.5: Role, Safeguards, Law Enforcement & State Laws
  Purpose: Documents legal position, technical exemptions, and parallel reporting paths.
  Action: Fill your organization role, verify encryption/key status with Engineering, log LE engagement if applicable, and complete the US state breach checklist.
• 6Section 5: Containment, Escalation & Communications
  Purpose: Tracks execution, evidence, and stakeholder alignment.
  Action: Log containment actions, executive/board/insurer notifications, and DPA/subject communications. Always record the evidence location (portal receipt ID, email thread, ticket link).
• 7Section 6: Post-Incident Review & Final Determination
  Purpose: Closes the loop and captures lessons learned.
  Action: Complete within 30 days. Document root cause, control gaps, and remediation steps. Assign final severity (SEV-1/2/3) and check the Final Determination box to officially classify the incident.

• Did you replace all [Bold Brackets] with actual incident details, timestamps, and decisions?
• Did you update/remove [Italic Gray Examples] to reflect the actual incident scope and safeguards?
• Is the 72-hour clock accurately calculated from the initial awareness timestamp?
• Has encryption/key compromise status been verified directly with Engineering?
• Are all jurisdictional obligations (EU/UK/US/APAC) mapped and assigned to the correct teams?
• Have executive, board, and insurer notifications been logged with evidence links?
• Has Legal Counsel reviewed the notification determinations and exemption rationales?

• Secure Storage Store the completed worksheet in your restricted Incident Response or Compliance repository (e.g., SharePoint, GRC platform).
• Audit Evidence When regulators or auditors request breach documentation, provide this signed worksheet alongside PRI-002 logs, DPA submission receipts, and forensic reports.
• Training & Drills Use this template for tabletop exercises. Pre-fill mock scenarios to test your team’s speed, accuracy, and cross-functional coordination.
• Review Cadence Update the document continuously during active incidents. Close, sign, and archive within 30 days of remediation completion.

• Start the Clock Immediately: The 72-hour timer begins at first awareness. Log it in Section 2.1 even if full forensic details aren’t known yet.
• Document “Why Not” for Exemptions: If you skip notifying data subjects because data was encrypted, explicitly document the encryption method and confirm keys weren’t compromised.
• Track Evidence Rigorously: Auditors focus on proof of delivery, not just intent. Log file paths, portal receipt IDs, or email timestamps for every notification.
• Keep Severity Consistent: Align the SEV-1/2/3 classification with your existing SIEM/IR program thresholds to avoid conflicting internal reports.