Last month, I took part in a General Data Protection Regulation (GDPR) Summit panel in London where I spoke on the topic of breach notification. Here are the discussion points resulting from the debate, as well as the overarching theme that focused on how businesses are preparing for the new data breach notification timing of 72 hours.

For many organizations, the GDPR represents the first time they will have a formal obligation to make a notification, both to a supervisory body and to affected individuals. The GDPR brings a timeline that no organization has experienced before, and it’s important to understand that a company must report a breach within 72 hours of becoming aware of the breach, where feasible.

How Long Does It Take to Detect a Data Breach?

Being aware of the data breach is an important point here. The Ponemon Institute publishes an annual report, sponsored by IBM, analyzing the cost of a data breach. The 2017 report showed that the mean time to detect an incident was 191 days — with a further 66 days required to contain the incident. While these timelines have improved annually over the past few years, they clearly are at odds with an organization’s ability to notify within 72 hours.

Once a potential incident has been detected, an organization must activate its incident response (IR) process. This means determining what has happened, what type of attack took place and then working on how the breach can be contained.

The U.K.’s Information Commissioner’s Office (ICO) states that they will not expect to receive comprehensive reports at the outset of the discovery or detection of an incident. They will want to know the potential scope and the cause of the breach, what the mitigation action plan is and how a company is working to address the problem.

Understanding Your Personal Data

Many of us are receiving emails from companies who are checking to see if we require a relationship with them. This data “spring clean” implies that organizations are only holding information that is relevant to their business. It’s also incredibly important for organizations to know what data exists and where it is kept.

It would be hard to determine the risk represented by a data breach if an organization did not know what personal data existed and where it was stored and processed. It’s an obvious point, but you cannot secure and protect personal data if you are unclear about its existence.

Securing Your Data

The GDPR provides a clear reason for companies to re-evaluate their security strategies. In Article 32, organizations are encouraged to put in place a level of security appropriate to the risk. So, how do organizations decide what is appropriate?

The panel discussed how companies are looking at adapting industry standards for cybersecurity, whether it be the ISO 27001, Cyber Essentials Scheme or Information Security Forum’s Controls Framework. Selecting a standard, evaluating the organization’s capabilities and gaps against the standard and then implementing solutions for those gaps, was felt by the panel to be an important part of GDPR preparedness.

Breach Notification

Having a detailed and current record of processing activities will be a great asset in determining whether the breached data was personal in nature. This is critical in helping the organization assess whether there is a risk of harm or infringement of rights of the affected data subjects.

This will help the organization determine whether or not they need to notify an incident and if they do, to which bodies and at what scale. It’s important to understand that not every little incident will require notification. You have to assess the impact and risk to an individual’s privacy and security.

Multi-Teaming and Muscle Memory

Effective incident response requires multidisciplinary teaming from across business functions including IT, human resources (HR), legal, the data protection officer (DPO) and communications. Getting all these functions to work effectively together, quickly, under pressure — perhaps with the eyes of the world’s media on them — is unlikely to come about without thorough preparation.

If an organization isn’t doing so already, it’s time to rehearse the IR plan. You have to make it muscle memory, just like the emergency services act at the scene of an accident. Practice your breach crisis plan and create your run books. You will need this in the event of a breach to show you are doing everything possible to fulfill the GDPR breach notification requirements, and report within 72 hours of becoming aware of the incident.

Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including GDPR. IBM does not provide legal advice and does not represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation. Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.



More from Incident Response

3 recommendations for adopting generative AI for cyber defense

3 min read - In the past eighteen months, generative AI (gen AI) has gone from being the source of jaw-dropping demos to a top strategic priority in nearly every industry. A majority of CEOs report feeling under pressure to invest in gen AI. Product teams are now scrambling to build gen AI into their solutions and services. The EU and US are beginning to put new regulatory frameworks in place to manage AI risks.Amid all this commotion, hackers and other cybercriminals are hardly…

What we can learn from the best collegiate cyber defenders

3 min read - This year marked the 19th season of the National Collegiate Cyber Defense Competition (NCCDC). For those unfamiliar, CCDC is a competition that puts student teams in charge of managing IT for a fictitious company as the network is undergoing a fundamental transformation. This year the challenge involved a common scenario: a merger. Ten finalist teams were tasked with managing IT infrastructure during this migrational period and, as an added bonus, the networks were simultaneously attacked by a group of red…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today