Last month, I took part in a General Data Protection Regulation (GDPR) Summit panel in London where I spoke on the topic of breach notification. Here are the discussion points resulting from the debate, as well as the overarching theme that focused on how businesses are preparing for the new data breach notification timing of 72 hours.
For many organizations, the GDPR represents the first time they will have a formal obligation to make a notification, both to a supervisory body and to affected individuals. The GDPR brings a timeline that no organization has experienced before, and it’s important to understand that a company must report a breach within 72 hours of becoming aware of the breach, where feasible.
How Long Does It Take to Detect a Data Breach?
Being aware of the data breach is an important point here. The Ponemon Institute publishes an annual report, sponsored by IBM, analyzing the cost of a data breach. The 2017 report showed that the mean time to detect an incident was 191 days — with a further 66 days required to contain the incident. While these timelines have improved annually over the past few years, they clearly are at odds with an organization’s ability to notify within 72 hours.
Once a potential incident has been detected, an organization must activate its incident response (IR) process. This means determining what has happened, what type of attack took place and then working on how the breach can be contained.
The U.K.’s Information Commissioner’s Office (ICO) states that they will not expect to receive comprehensive reports at the outset of the discovery or detection of an incident. They will want to know the potential scope and the cause of the breach, what the mitigation action plan is and how a company is working to address the problem.
Understanding Your Personal Data
Many of us are receiving emails from companies who are checking to see if we require a relationship with them. This data “spring clean” implies that organizations are only holding information that is relevant to their business. It’s also incredibly important for organizations to know what data exists and where it is kept.
It would be hard to determine the risk represented by a data breach if an organization did not know what personal data existed and where it was stored and processed. It’s an obvious point, but you cannot secure and protect personal data if you are unclear about its existence.
Securing Your Data
The GDPR provides a clear reason for companies to re-evaluate their security strategies. In Article 32, organizations are encouraged to put in place a level of security appropriate to the risk. So, how do organizations decide what is appropriate?
The panel discussed how companies are looking at adapting industry standards for cybersecurity, whether it be the ISO 27001, Cyber Essentials Scheme or Information Security Forum’s Controls Framework. Selecting a standard, evaluating the organization’s capabilities and gaps against the standard and then implementing solutions for those gaps, was felt by the panel to be an important part of GDPR preparedness.
Having a detailed and current record of processing activities will be a great asset in determining whether the breached data was personal in nature. This is critical in helping the organization assess whether there is a risk of harm or infringement of rights of the affected data subjects.
This will help the organization determine whether or not they need to notify an incident and if they do, to which bodies and at what scale. It’s important to understand that not every little incident will require notification. You have to assess the impact and risk to an individual’s privacy and security.
Multi-Teaming and Muscle Memory
Effective incident response requires multidisciplinary teaming from across business functions including IT, human resources (HR), legal, the data protection officer (DPO) and communications. Getting all these functions to work effectively together, quickly, under pressure — perhaps with the eyes of the world’s media on them — is unlikely to come about without thorough preparation.
If an organization isn’t doing so already, it’s time to rehearse the IR plan. You have to make it muscle memory, just like the emergency services act at the scene of an accident. Practice your breach crisis plan and create your run books. You will need this in the event of a breach to show you are doing everything possible to fulfill the GDPR breach notification requirements, and report within 72 hours of becoming aware of the incident.
Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including GDPR. IBM does not provide legal advice and does not represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation. Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.
CHECK OUT THE DPO PLAYBOOK FOR GDPR