GDPR: Dealing With the Mandatory 72-Hour Breach Notification Requirement

Michael Walter, Managing Director Security and Privacy
Pam Kamath, Associate Director Security and Privacy

Article 33 of the General Data Protection Regulation (GDPR) requires that, in the event of a personal data breach, the data controller – without undue delay and, where feasible, no later than 72 hours after becoming aware of it – notify the appropriate supervisory authority.

Organizations appear to be taking this requirement to heart. The Information Commissioner’s Office (ICO), the UK’s data privacy watchdog and GDPR enforcer, received 1,750 breach reports in June 2018 – a number that far exceeds the 400 breaches on average reported in April and May.

The number of data breach notifications the ICO received in June may not necessarily equate to confirmed data breaches – but that doesn’t matter. A key takeaway from this statistic is that the businesses are recognizing that under the GDPR, it is better to report a suspected data breach within the stipulated time than not to report it, because the fines for discovered unreported breaches are higher.

What constitutes a personal data breach?

In Article 4 of the GDPR, a personal data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration or unauthorized disclosure of, or access to, personal data. The article defines the standards for notification as follows:

  1. Supervisory authorities must be notified when the personal data breach is likely to result in a “risk to the rights and freedoms of natural persons.”
  2. Data subjects must be notified when a personal data breach is likely to result in a “high risk to the rights and freedoms of natural persons.”

The GDPR relies heavily on a risk-based approach to determine whether a breach triggers a personal data breach notification. What might appear to be a risk to the rights and freedoms of individuals may differ from case to case. When in doubt, report it.

Are you equipped to handle the speed mandated by GDPR Article 33?

Considering the very short reporting window, fumbling through the breach notification process may prove disastrous. As we’ve noted previously, organizations that fail to comply could face fines of up to €20M or 4 percent of their annual global turnover from the prior year. No one wants to open up their pockets that deep.

To minimize the impact of a personal data breach, organizations must have a 72-hour incident-response plan in place and tested. It should be based on a clear policy, have consistent processes around breach detection, and explicitly spell out the 72-hour reporting process.

Once an incident of a personal data breach is detected, an organization must be prepared to activate its incident-response plan with the goal of quick escalation and decision-making. It should identify the type of breach, who is responsible for handling the breach notification process, actions to contain the breach, notification information (who and when to notify), forensic actions, and appropriate risk management.

A good plan should further outline key actions that may be necessary to contain and recover from the incident as the organization prepares to notify the concerned parties.

There are eight preparatory actions we recommend organizations undertake now in order to effectively respond to breaches within the 72 hours mandated by the GDPR:

  1. Establish a formal incident-response plan and policy. An incident-response policy outlines the organization’s expectations around response to an incident. It clearly lays out how the organization should respond to incidents, including naming the specific business departments or individuals who need to be involved in the response.
  2. Form an incident-response team, with clear roles and responsibilities for each team member. That team should include a C-level leader, as well as an HR or legal representative to handle sensitive personal issues.
  3. Develop a communication plan that outlines who is authorized to communicate about the breach, what should be communicated and to whom – customers, authorities, law enforcement, insurance, media, etc.
  4. Maintain an up-to-date personal data inventory. This will allow the incident response team to isolate issues more quickly and respond to the breach more effectively.
  5. Regularly assess your attack-surface landscape for possible threats and implement necessary incident-detection and incident-tracking tools. Threats evolve, and so does your attack surface.
  6. Be ready to contain, remediate and recover, even as the notification process is underway. Stay in top of remediation efforts until all threats have been removed.
  7. Ensure that the incident-response team is trained and that there is sufficient awareness within the organization about its role during a data breach. Train staff and practice the plan routinely, ideally on a quarterly basis.
  8. Regularly audit and incorporate lessons learned into your incident-response program. Compile a detailed report of past breaches and corrective measures taken with the goal of ensuring that a similar incident will not occur again.

An incident-response program is a continuous process and not a “snapshot in time.” While the GDPR and its stringent requirements have brought the importance of such program into sharp focus, it should be considered an integral part of the information-security and business-continuity operations of any organization, whether it is subject to the GDPR or not.

We have covered, and will continue to cover, data-privacy issues here and on our Technology Insights blog. You can also visit the GDPR resources page on our website. Your questions and comments are welcome.

Diana Candela and Stephen Nation of Protiviti’s Security and Privacy practice contributed to this content.

Add comment