Light Dark
July 27, 2018 By Gant Redmon 3 min read
Incident Response

The European Union (EU)’s General Data Protection Regulation (GDPR) is in full effect, but many organizations still don’t have the processes in place to be compliant. According to an IBM survey, only 36 percent of executives said they expect to be GDPR-compliant by the enforcement date.

For many organizations, one of the top challenges is complying with the GDPR’s tight 72-hour data breach notification window. To help organizations accelerate their incident response times and meet this deadline, we’ve outlined steps privacy teams can take before, during and after a data breach to help them comply with the GDPR and improve their overall privacy and security processes.

Before the Breach: Preparing Your Incident Response

Being prepared to follow the GDPR’s Article 33 instructions for reporting a data breach to your supervisory authority is just as important as acting quickly when the breach hits. Proper incident response planning and practice are essential for any privacy and security team, but the GDPR’s harsh penalties amplify the need to be prepared.

Developing a proven, consistent and repeatable incident response plan is critical for complying with the GDPR. This plan should include all steps that are needed in the event of a data breach and should be tested frequently to identify gaps.

During the Breach: Orchestration, Automation and Documentation

Once a data breach has been discovered, the GDPR’s Article 33 outlines the information that an organization must determine and document to stay compliant.

This includes:

  • The nature of the breach, such as the number and types of data records and data subjects;
  • Contact details for your data protection officer or similar point of contact;
  • The likely consequences of the personal data breach; and
  • Measures taken or proposed to be taken by the controller to address the personal data breach.

During this step, the organization should also document the effects of the breach and remedial actions taken. This information will be required by the supervisory authority after the breach, and preparing this proactively can save teams valuable time.

Additionally, organizations should seek ways to leverage orchestration and automation during this step to help accelerate response times and make their efforts more effective and efficient.

After the Breach: Notifying Authorities Within 72 Hours

At this point, the 72-hour clock to notify the supervisory authority has started. Organizations need to begin the conversation with them during this window and show all the data that has been collected. If it’s not possible to provide all the necessary information at the same time, the information may be provided in phases without undue further delay, per article 33.

It’s not just about showing the results of the breach, however. Organizations should explain the data breach, including what security measures were already in place and how they plan to improve the process. This means conducting a postmortem analysis of the situation — a requirement under the GDPR.

After the conversation with the supervisory authority, organizations need to implement these adjustments. Security teams should develop a plan to update the incident response process and resume best practices for testing and updating the plan.

Learn more about GDPR and how IBM Security SOAR can help you respond to incidents faster

Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.

Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.

 |  |  |  |  |  |  | 
Gant Redmon

More from Incident Response
July 15, 2024

Cybersecurity crisis communication: What to do

4 min read - Cybersecurity experts tell organizations that the question is not if they will become the target of a cyberattack but when. Often, the focus of response preparedness is on the technical aspects — how to stop the breach from continuing, recovering data and getting the business back online. While these tasks are critical, many organizations overlook a key part of response preparedness: crisis communication. Because a brand’s reputation often takes a significant hit, a cyberattack can significantly affect the company’s future…

May 14, 2024

3 recommendations for adopting generative AI for cyber defense

3 min read - In the past eighteen months, generative AI (gen AI) has gone from being the source of jaw-dropping demos to a top strategic priority in nearly every industry. A majority of CEOs report feeling under pressure to invest in gen AI. Product teams are now scrambling to build gen AI into their solutions and services. The EU and US are beginning to put new regulatory frameworks in place to manage AI risks.Amid all this commotion, hackers and other cybercriminals are hardly…

May 3, 2024

What we can learn from the best collegiate cyber defenders

3 min read - This year marked the 19th season of the National Collegiate Cyber Defense Competition (NCCDC). For those unfamiliar, CCDC is a competition that puts student teams in charge of managing IT for a fictitious company as the network is undergoing a fundamental transformation. This year the challenge involved a common scenario: a merger. Ten finalist teams were tasked with managing IT infrastructure during this migrational period and, as an added bonus, the networks were simultaneously attacked by a group of red…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature