5.2.5 Notification

Notification is an essential element of accountability. A strong accountability-based approach requires cloud providers to notify all affected parties of the occurrence of an incident or discovered policy violation within a reasonable timeframe. Notifications can be provided through common means such as e-mail or letters to the relevant parties, or dedicated communication channels designated for the purpose (usually between cloud providers).

The RA does not prescribe particular methods for notification recognising the fact that the circumstances around each incident rarely are the same and flexibility should be allowed in which mechanisms to mobilise during response. However, the following functions should be implemented for a strong accountability-based approach:

• Obligations about providing notification within a predefined, reasonable timeframe should be reflected in the policies enforced. As such, any policy-support services implemented (discussed in section 5.2.1) should ensure that this element is explicitly supported.
• An automated approach to transmission of notifications can reduce the burden of operating this part of the accountability lifecycle. As such, organisations may opt to implement services supporting the exchange of machine- and human-readable notifications based on a predefined protocol that has provisions for the inclusion of information about the incident (including evidence of which subset of a subjects personal data were involved in the incident) and, where possible, links to an automatic remediation management system, discussed next.