Last month, I took part in a General Data Protection Regulation (GDPR) Summit panel in London where I spoke on the topic of breach notification. Here are the discussion points resulting from the debate, as well as the overarching theme that focused on how businesses are preparing for the new data breach notification timing of 72 hours.

For many organizations, the GDPR represents the first time they will have a formal obligation to make a notification, both to a supervisory body and to affected individuals. The GDPR brings a timeline that no organization has experienced before, and it’s important to understand that a company must report a breach within 72 hours of becoming aware of the breach, where feasible.

How Long Does It Take to Detect a Data Breach?

Being aware of the data breach is an important point here. The Ponemon Institute publishes an annual report, sponsored by IBM, analyzing the cost of a data breach. The 2017 report showed that the mean time to detect an incident was 191 days — with a further 66 days required to contain the incident. While these timelines have improved annually over the past few years, they clearly are at odds with an organization’s ability to notify within 72 hours.

Once a potential incident has been detected, an organization must activate its incident response (IR) process. This means determining what has happened, what type of attack took place and then working on how the breach can be contained.

The U.K.’s Information Commissioner’s Office (ICO) states that they will not expect to receive comprehensive reports at the outset of the discovery or detection of an incident. They will want to know the potential scope and the cause of the breach, what the mitigation action plan is and how a company is working to address the problem.

Understanding Your Personal Data

Many of us are receiving emails from companies who are checking to see if we require a relationship with them. This data “spring clean” implies that organizations are only holding information that is relevant to their business. It’s also incredibly important for organizations to know what data exists and where it is kept.

It would be hard to determine the risk represented by a data breach if an organization did not know what personal data existed and where it was stored and processed. It’s an obvious point, but you cannot secure and protect personal data if you are unclear about its existence.

Securing Your Data

The GDPR provides a clear reason for companies to re-evaluate their security strategies. In Article 32, organizations are encouraged to put in place a level of security appropriate to the risk. So, how do organizations decide what is appropriate?

The panel discussed how companies are looking at adapting industry standards for cybersecurity, whether it be the ISO 27001, Cyber Essentials Scheme or Information Security Forum’s Controls Framework. Selecting a standard, evaluating the organization’s capabilities and gaps against the standard and then implementing solutions for those gaps, was felt by the panel to be an important part of GDPR preparedness.

Breach Notification

Having a detailed and current record of processing activities will be a great asset in determining whether the breached data was personal in nature. This is critical in helping the organization assess whether there is a risk of harm or infringement of rights of the affected data subjects.

This will help the organization determine whether or not they need to notify an incident and if they do, to which bodies and at what scale. It’s important to understand that not every little incident will require notification. You have to assess the impact and risk to an individual’s privacy and security.

Multi-Teaming and Muscle Memory

Effective incident response requires multidisciplinary teaming from across business functions including IT, human resources (HR), legal, the data protection officer (DPO) and communications. Getting all these functions to work effectively together, quickly, under pressure — perhaps with the eyes of the world’s media on them — is unlikely to come about without thorough preparation.

If an organization isn’t doing so already, it’s time to rehearse the IR plan. You have to make it muscle memory, just like the emergency services act at the scene of an accident. Practice your breach crisis plan and create your run books. You will need this in the event of a breach to show you are doing everything possible to fulfill the GDPR breach notification requirements, and report within 72 hours of becoming aware of the incident.

Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including GDPR. IBM does not provide legal advice and does not represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation. Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.



More from Incident Response

Tequila OS 2.0: The first forensic Linux distribution in Latin America

3 min read - Incident response teams are stretched thin, and the threats are only intensifying. But new tools are helping bridge the gap for cybersecurity pros in Latin America.IBM Security X-Force Threat Intelligence Index 2023 found that 12% of the security incidents X-force responded to were in Latin America. In comparison, 31% were in the Asia-Pacific, followed by Europe with 28%, North America with 25% and the Middle East with 4%. In the Latin American region, Brazil had 67% of incidents that X-Force…

Alert fatigue: A 911 cyber call center that never sleeps

4 min read - Imagine running a 911 call center where the switchboard is constantly lit up with incoming calls. The initial question, “What’s your emergency, please?” aims to funnel the event to the right responder for triage and assessment. Over the course of your shift, requests could range from soft-spoken “I’m having a heart attack” pleas to “Where’s my pizza?” freak-outs eating up important resources. Now add into the mix a volume of calls that burnout kicks in and important threats are missed.…

SIEM and SOAR in 2023: Key trends and new changes

4 min read - Security information and event management (SIEM) systems remain a key component of security operations centers (SOCs). Security orchestration, automation, and response (SOAR) frameworks, meanwhile, have emerged to fill the gap in these capabilities left by many SIEM systems. But as many companies have begun reaching the limits of SIEM and SOAR systems over the last few years, they have started turning to other solutions such as extended detection and response (XDR). But does this shift spell the end of SIEM…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…