In order to resolve security incidents as quickly as possible and prevent as much damage as possible, a responsible person (e.g., data protection officer or information security officer) should be defined. This person must be contacted immediately if a security incident occurs or is suspected. It must be clearly communicated to all employees who that person is, so that they know who to contact in case of an emergency.
To be able take legal actions after security incidents it is important to collect evidence during and after the security incident. It is therefore important for the organization to define processes for the identification, collection, acquisition and preservation of evidence.