This document provides guidance on data protection and incident response. It discusses the importance of knowing your data and systems, having response plans that follow privacy principles, and understanding relevant regulations. Key points include designing security and privacy into systems by default, containing incidents, identifying causes, and learning from mistakes to prevent future issues. Enforcement agencies are identified for different jurisdictions. The overall message is that preparation, knowledge, and careful response are needed to protect assets during a crisis.