Last month, I took part in a General Data Protection Regulation (GDPR) Summit panel in London where I spoke on the topic of breach notification. Here are the discussion points resulting from the debate, as well as the overarching theme that focused on how businesses are preparing for the new data breach notification timing of 72 hours.

For many organizations, the GDPR represents the first time they will have a formal obligation to make a notification, both to a supervisory body and to affected individuals. The GDPR brings a timeline that no organization has experienced before, and it’s important to understand that a company must report a breach within 72 hours of becoming aware of the breach, where feasible.

How Long Does It Take to Detect a Data Breach?

Being aware of the data breach is an important point here. The Ponemon Institute publishes an annual report, sponsored by IBM, analyzing the cost of a data breach. The 2017 report showed that the mean time to detect an incident was 191 days — with a further 66 days required to contain the incident. While these timelines have improved annually over the past few years, they clearly are at odds with an organization’s ability to notify within 72 hours.

Once a potential incident has been detected, an organization must activate its incident response (IR) process. This means determining what has happened, what type of attack took place and then working on how the breach can be contained.

The U.K.’s Information Commissioner’s Office (ICO) states that they will not expect to receive comprehensive reports at the outset of the discovery or detection of an incident. They will want to know the potential scope and the cause of the breach, what the mitigation action plan is and how a company is working to address the problem.

Understanding Your Personal Data

Many of us are receiving emails from companies who are checking to see if we require a relationship with them. This data “spring clean” implies that organizations are only holding information that is relevant to their business. It’s also incredibly important for organizations to know what data exists and where it is kept.

It would be hard to determine the risk represented by a data breach if an organization did not know what personal data existed and where it was stored and processed. It’s an obvious point, but you cannot secure and protect personal data if you are unclear about its existence.

Securing Your Data

The GDPR provides a clear reason for companies to re-evaluate their security strategies. In Article 32, organizations are encouraged to put in place a level of security appropriate to the risk. So, how do organizations decide what is appropriate?

The panel discussed how companies are looking at adapting industry standards for cybersecurity, whether it be the ISO 27001, Cyber Essentials Scheme or Information Security Forum’s Controls Framework. Selecting a standard, evaluating the organization’s capabilities and gaps against the standard and then implementing solutions for those gaps, was felt by the panel to be an important part of GDPR preparedness.

Breach Notification

Having a detailed and current record of processing activities will be a great asset in determining whether the breached data was personal in nature. This is critical in helping the organization assess whether there is a risk of harm or infringement of rights of the affected data subjects.

This will help the organization determine whether or not they need to notify an incident and if they do, to which bodies and at what scale. It’s important to understand that not every little incident will require notification. You have to assess the impact and risk to an individual’s privacy and security.

Multi-Teaming and Muscle Memory

Effective incident response requires multidisciplinary teaming from across business functions including IT, human resources (HR), legal, the data protection officer (DPO) and communications. Getting all these functions to work effectively together, quickly, under pressure — perhaps with the eyes of the world’s media on them — is unlikely to come about without thorough preparation.

If an organization isn’t doing so already, it’s time to rehearse the IR plan. You have to make it muscle memory, just like the emergency services act at the scene of an accident. Practice your breach crisis plan and create your run books. You will need this in the event of a breach to show you are doing everything possible to fulfill the GDPR breach notification requirements, and report within 72 hours of becoming aware of the incident.

Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including GDPR. IBM does not provide legal advice and does not represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation. Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.



More from Data Protection

The Importance of Modern-Day Data Security Platforms

Data is the backbone of businesses and companies everywhere. Data can range from intellectual property to critical business plans to personal health information or even money itself. At the end of the day, businesses are looking to grow revenue, innovate, and operationalize but to do that, they must ensure that they leverage their data first because of how important and valuable it is to their organization. No matter the industry, the need to protect sensitive and personal data should be…

Meeting Today’s Complex Data Privacy Challenges

Pop quiz: Who is responsible for compliance and data privacy in an organization? Is it a) the security department, b) the IT department, c) the legal department, d) the compliance group or e) all of the above? If you answered "all of the above," you are well-versed in the complex world of compliance and data privacy! While compliance is a complex topic, the patchwork of regulations imposed by countries, regions, states and industries further compounds it. This complexity has turned…

The Digital World is Changing Fast: Data Discovery Can Help

The rise in digital technology is creating opportunities for individuals and organizations to achieve unprecedented success. It’s also creating new challenges, particularly in protecting sensitive personal and financial information. Personally identifiable information (PII) is trivial to manage. It’s often spread across multiple locations and formats and can be challenging to find and classify. Organizations need a modern data discovery and classification solution to identify sensitive data across physical, virtual and public clouds. The Current State of Sensitive Data Discovery and…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…