Nordic Data Compliance Centre

Nordic Data Compliance Centre

Be ahead. Be secure. Be compliant.

 - a case study -

GDPR and DORA - incident management

Summary 

  • By merging policy, process and procedures, governance, third-party contracts, and training into a unified incident management program, the pension fund is able today to effectively manage ICT incidents in a way that satisfies both DORA and GDPR.


    This holistic, streamlined approach not only meets regulatory obligations but also strengthens overall operational resilience.

Context and Challenge 

  • Pension fund, with more than 750 employees and over 450.000 customers, falls under DORA’s scope for ICT-related incident management, requiring standardized classification and timely reporting of incidents.
  • GDPR demands breaches impacting personal data be reported "without undue delay," and within 72 hours.
  • A challenge arises when an ICT incident potentially involves personal data—not knowing whether to trigger DORA procedures, GDPR breach notifications procedures, or both.

Nordic Data Compliance Centre's Approach

1. Analysing the incident management and personal data breach process implemented with GDPR.

  • Performed an in-depth analysis and identified major gaps in the current process.
  • Performed an in-depth analysis of DORA requirements and developed a plan to integrate them into the client’s existing incident management process, which required improvement based on gap analysis findings.
  • Defined clear incident classification criteria that satisfy both frameworks—ensuring that major ICT incidents under DORA and personal data breaches under GDPR are promptly identified and handled accordingly.

3. Contractual & Third-party Alignment

  • Updated current and created new data processing  agreements under both GDPR and DORA’s requiremens, among others:  
    • Roles and responsibilities, data subject rights, security, sub-processors, data transfers. 
    • Ensured that third-party vendors can notify the pension fund of incidents according to DORA / GDPR requirements, as well as risk assessments are done on ongoing basis where identified risks are mitigated, requirements of business continuity and disaster recovery plans. 

2. Create, Optimize and Implement Policy, Process and Procedures.

  • Developed detailed but only necessary documentation including incident response, business continuity, ICT risk management, and data-breach handling procedures ensuring they mutually reinforce:
      • DORA’s requirement for incident reporting and classification.
      • GDPR’s requirements for breach notification, including minimizing associated risks.


4. Governance, Training & Oversight

  • Use RACI to appoint individuals responsible, accountable, consulted and informed in IT, legal, compliance and communication teams.
  • Assigned a designated incident and communication lead, aligning with GDPR and DORA’s requirements for a crisis communication, including communication plans for both internal and external stakeholders.
  • Conducted staff training focusing on:
      • Recognizing and classifying ICT-related and personal data incidents.
      • DORA’s incident reporting timelines and GDPR’s breach notification requirements.
      • DPO’s role in the new governance set-up. 

At a later stage, the client is prepared to simulate incidents to ensure both GDPR and DORA implemented policy, process and procedures are consistently applied and practiced.

Your compliance success could be next!

Nordic Data Compliance Centre ApS

CVR DK44251434

Privacy Statement 

Terms of Use 

© 2025 Nordic Data Compliance Centre. All rights reserved.

Partners