cdpse-d1-management-privacy-incident-management

Privacy Incident Management

isaca-cdpse · framework · Production-ready

Drawn fromCDPSE Review Manual · ISACA peer-reviewed case sets·Reviewed May 5, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runcourse-factory-pipeline-v1

1

Face 1 of 6 · WHAT

What is Privacy Incident Management

Privacy Incident Management is the organizational governance process for identifying, assessing, containing, notifying, documenting, and remediating events that result in — or risk resulting in — unauthorized access, disclosure, alteration, or loss of personal data. Under the ISACA CDPSE framework, it sits within Privacy Governance → Management and spans the full lifecycle from initial detection through post-incident improvement. Privacy incident management is distinct from cybersecurity incident management: both may be triggered by the same event (e.g., a ransomware attack), but privacy incident management addresses obligations to data subjects and regulatory bodies — not system restoration. A privacy incident exists whenever personal data is compromised, regardless of whether any system was breached. Conversely, a system breach is not a privacy incident unless personal data is actually at risk.

Where it stops · what it isn't

—IS: Governance processes, decision frameworks, and regulatory obligations for responding to events that expose — or risk exposing — personal data of identifiable individuals
—IS: Regulatory notification obligations (GDPR Art. 33/34, HIPAA Breach Notification Rule, CCPA §1798.82) and the internal escalation paths that fulfill them
—IS: Cross-functional coordination (Privacy Officer, Legal, IT Security, HR, Communications, Finance) and role accountability for privacy-specific incident decisions
—IS: Documentation requirements for regulatory compliance (incident records, impact assessments, remediation evidence)
—IS: Vendor and third-party incident responsibilities, SLA enforcement, and shared notification protocols
—IS NOT: Pure cybersecurity incident response focused on system containment and restoration (patching, malware eradication) — that is a separate competency
—IS NOT: Privacy Impact Assessments (PIAs/DPIAs), which are pre-processing risk tools, not reactive incident governance
—IS NOT: General risk management or audit functions — privacy incident management is triggered specifically by actual or suspected events affecting personal data
—IS NOT: Data breach insurance claims management — though incident documentation feeds insurance processes

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

PART OF

Privacy GovernanceISACA CDPSE Domain 1: Privacy Governance — Management

REQUIRES

Privacy Impact Assessment (PIA/DPIA)Data Classification and InventoryThird-Party/Vendor Privacy ManagementAccess Control Governance

RELATED TO

Cybersecurity Incident ResponsePrivacy Risk Management

ENABLES

Regulatory Compliance (GDPR, HIPAA, CCPA)Data Subject Rights Fulfillment

CONSTRAINS

Data Retention and Minimization Practices

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.