For companies that don’t have a data breach response plan yet, the task of achieving General Data Protection Regulation (GDPR) compliance might feel overwhelming. Article 33 of the regulation, which went into effect on May 25, 2018, sets a strict timeline for breach disclosure. It mandates that “the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority.”

Companies have 72 hours — and the clock is ticking.

What does an organization need to do to report a data breach within this 72-hour window? Overwhelmed or not, enterprises must adapt to the reality of this tight deadline and have a plan in place to meet it in the event of data compromise.

Start the Timer: Your Data Breach Response Plan

According to GDPR, a data breach report should include a description of the nature of the incident, the number of records potentially compromised, the likely consequences of the breach and the organization’s plans for remediation.

Does this sound like a tall order? It’s worth noting that there’s some flexibility in the reporting requirement. Article 33 states that if a company misses the 72-hour deadline, it must include a valid reason for the delay when it does report the breach.

Of course, this isn’t a license to rest on your laurels.

“The key thing that the regulatory authorities will look for is transparency and accountability and that you can demonstrate that you have started your journey,” said Brian Honan, CEO of BH Consulting, in a May 2018 interview with Information Security Media Group.

Against the Clock: Strike a Balance Between Productivity and Data Security

Companies can no longer defend themselves against cyberthreats by relying solely on antivirus software and firewall protections — especially when it comes to securing customer data. This reality is why it’s critical to understand the data your organization holds and have a policy for managing it throughout its life cycle. Holding onto assets that no longer have value only puts companies at risk.

Companies can better secure their data by implementing breach detection technologies that identify anomalous patterns. These tools provide data visibility, including a timeline of the attack. Some tools also provide artificial intelligence (AI)-powered monitoring capabilities and insight into storage environments from the cloud.

Successful breach prevention requires a proper balance between enabling productivity and protecting assets. This is why it’s crucial to adopt a proactive security plan capable of adapting to today’s evolving threat landscape.

Time Flies: Monitor Users to Understand Insider Threats

Earlier this year, a healthcare savings institution suffered a data breach after an employee’s email account was compromised, according to Infosecurity Magazine. Two days after an unauthorized user accessed the account, the malicious activity was detected, the account was destroyed and a forensics firm launched an investigation. That’s almost record-breaking dwell time — and an indication that the company proactively monitors users to identify potential insider threats.

“Often, attacks like these target privileged users with access to sensitive or valuable systems or data,” said Sam Elliott, director of security product management at remote support company Bomgar. “While companies are aware of this, providing security around these types of users without limiting their ability to do their jobs effectively is difficult.”

One way to address the threat of malicious insiders is to clearly define privileged users and install controls that allow employees to only access what they need to perform their jobs. By monitoring user behavior, security teams can establish a pattern of regular activity and quickly raise red flags when anomalies occur.

Insider threats are often not malicious, but attackers frequently aim to compromise user credentials through social engineering tactics. The ability to recognize changes in user behaviors allows analysts to detect incidents and respond more quickly — reducing dwell time and minimizing the impact of a breach.

Beat the Clock: Develop and Implement an Incident Response Plan

Many companies will struggle to report incidents within the mandated 72-hour window. IBM recommends tapping the expertise of a computer security incident response team (CSIRT) to address challenges related to post-breach response and resilience. Also, security teams must establish and follow a comprehensive incident response plan designed to help the organization meet compliance in the aftermath of a breach.

The very process of developing an incident response plan will reveal weaknesses in existing security strategies. Once established, the plan should regularly be tested. This tactic will enable organizations to strengthen business continuity and disaster recovery operations to minimize the impact of a breach and the disruption that typically follows. More importantly, it will help them stay on the right side of GDPR compliance today and in the future.

Read more content to help you prepare for GDPR compliance

More from Data Protection

Transitioning to Quantum-Safe Encryption

With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world. This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Resilient Companies Have a Disaster Recovery Plan

Historically, disaster recovery (DR) planning focused on protection against unlikely events such as fires, floods and natural disasters. Some companies mistakenly view DR as an insurance policy for which the likelihood of a claim is low. With the current financial and economic pressures, cutting or underfunding DR planning is a tempting prospect for many organizations. That impulse could be costly. Unfortunately, many companies have adopted newer technology delivery models without DR in mind, such as Cloud Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS)…

Millions Lost in Minutes — Mitigating Public-Facing Attacks

In recent years, many high-profile companies have suffered destructive cybersecurity breaches. These public-facing assaults cost organizations millions of dollars in minutes, from stock prices to media partnerships. Fast Company, Rockstar, Uber, Apple and more have all been victims of these costly and embarrassing attacks. The total average cost of a data breach has increased by 2.6% since 2021 and is now $4.35 million. Organizations that don't deploy zero trust security models also incur an average of $1 million more in…