Last month, I took part in a General Data Protection Regulation (GDPR) Summit panel in London where I spoke on the topic of breach notification. Here are the discussion points resulting from the debate, as well as the overarching theme that focused on how businesses are preparing for the new data breach notification timing of 72 hours.

For many organizations, the GDPR represents the first time they will have a formal obligation to make a notification, both to a supervisory body and to affected individuals. The GDPR brings a timeline that no organization has experienced before, and it’s important to understand that a company must report a breach within 72 hours of becoming aware of the breach, where feasible.

How Long Does It Take to Detect a Data Breach?

Being aware of the data breach is an important point here. The Ponemon Institute publishes an annual report, sponsored by IBM, analyzing the cost of a data breach. The 2017 report showed that the mean time to detect an incident was 191 days — with a further 66 days required to contain the incident. While these timelines have improved annually over the past few years, they clearly are at odds with an organization’s ability to notify within 72 hours.

Once a potential incident has been detected, an organization must activate its incident response (IR) process. This means determining what has happened, what type of attack took place and then working on how the breach can be contained.

The U.K.’s Information Commissioner’s Office (ICO) states that they will not expect to receive comprehensive reports at the outset of the discovery or detection of an incident. They will want to know the potential scope and the cause of the breach, what the mitigation action plan is and how a company is working to address the problem.

Understanding Your Personal Data

Many of us are receiving emails from companies who are checking to see if we require a relationship with them. This data “spring clean” implies that organizations are only holding information that is relevant to their business. It’s also incredibly important for organizations to know what data exists and where it is kept.

It would be hard to determine the risk represented by a data breach if an organization did not know what personal data existed and where it was stored and processed. It’s an obvious point, but you cannot secure and protect personal data if you are unclear about its existence.

Securing Your Data

The GDPR provides a clear reason for companies to re-evaluate their security strategies. In Article 32, organizations are encouraged to put in place a level of security appropriate to the risk. So, how do organizations decide what is appropriate?

The panel discussed how companies are looking at adapting industry standards for cybersecurity, whether it be the ISO 27001, Cyber Essentials Scheme or Information Security Forum’s Controls Framework. Selecting a standard, evaluating the organization’s capabilities and gaps against the standard and then implementing solutions for those gaps, was felt by the panel to be an important part of GDPR preparedness.

Breach Notification

Having a detailed and current record of processing activities will be a great asset in determining whether the breached data was personal in nature. This is critical in helping the organization assess whether there is a risk of harm or infringement of rights of the affected data subjects.

This will help the organization determine whether or not they need to notify an incident and if they do, to which bodies and at what scale. It’s important to understand that not every little incident will require notification. You have to assess the impact and risk to an individual’s privacy and security.

Multi-Teaming and Muscle Memory

Effective incident response requires multidisciplinary teaming from across business functions including IT, human resources (HR), legal, the data protection officer (DPO) and communications. Getting all these functions to work effectively together, quickly, under pressure — perhaps with the eyes of the world’s media on them — is unlikely to come about without thorough preparation.

If an organization isn’t doing so already, it’s time to rehearse the IR plan. You have to make it muscle memory, just like the emergency services act at the scene of an accident. Practice your breach crisis plan and create your run books. You will need this in the event of a breach to show you are doing everything possible to fulfill the GDPR breach notification requirements, and report within 72 hours of becoming aware of the incident.

Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including GDPR. IBM does not provide legal advice and does not represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation. Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.



More from Data Protection

Transitioning to Quantum-Safe Encryption

With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world. This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Resilient Companies Have a Disaster Recovery Plan

Historically, disaster recovery (DR) planning focused on protection against unlikely events such as fires, floods and natural disasters. Some companies mistakenly view DR as an insurance policy for which the likelihood of a claim is low. With the current financial and economic pressures, cutting or underfunding DR planning is a tempting prospect for many organizations. That impulse could be costly. Unfortunately, many companies have adopted newer technology delivery models without DR in mind, such as Cloud Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS)…

Millions Lost in Minutes — Mitigating Public-Facing Attacks

In recent years, many high-profile companies have suffered destructive cybersecurity breaches. These public-facing assaults cost organizations millions of dollars in minutes, from stock prices to media partnerships. Fast Company, Rockstar, Uber, Apple and more have all been victims of these costly and embarrassing attacks. The total average cost of a data breach has increased by 2.6% since 2021 and is now $4.35 million. Organizations that don't deploy zero trust security models also incur an average of $1 million more in…