The European Union (EU)’s General Data Protection Regulation (GDPR) is in full effect, but many organizations still don’t have the processes in place to be compliant. According to an IBM survey, only 36 percent of executives said they expect to be GDPR-compliant by the enforcement date.

For many organizations, one of the top challenges is complying with the GDPR’s tight 72-hour data breach notification window. To help organizations accelerate their incident response times and meet this deadline, we’ve outlined steps privacy teams can take before, during and after a data breach to help them comply with the GDPR and improve their overall privacy and security processes.

Before the Breach: Preparing Your Incident Response

Being prepared to follow the GDPR’s Article 33 instructions for reporting a data breach to your supervisory authority is just as important as acting quickly when the breach hits. Proper incident response planning and practice are essential for any privacy and security team, but the GDPR’s harsh penalties amplify the need to be prepared.

Developing a proven, consistent and repeatable incident response plan is critical for complying with the GDPR. This plan should include all steps that are needed in the event of a data breach and should be tested frequently to identify gaps.

During the Breach: Orchestration, Automation and Documentation

Once a data breach has been discovered, the GDPR’s Article 33 outlines the information that an organization must determine and document to stay compliant.

This includes:

  • The nature of the breach, such as the number and types of data records and data subjects;
  • Contact details for your data protection officer or similar point of contact;
  • The likely consequences of the personal data breach; and
  • Measures taken or proposed to be taken by the controller to address the personal data breach.

During this step, the organization should also document the effects of the breach and remedial actions taken. This information will be required by the supervisory authority after the breach, and preparing this proactively can save teams valuable time.

Additionally, organizations should seek ways to leverage orchestration and automation during this step to help accelerate response times and make their efforts more effective and efficient.

After the Breach: Notifying Authorities Within 72 Hours

At this point, the 72-hour clock to notify the supervisory authority has started. Organizations need to begin the conversation with them during this window and show all the data that has been collected. If it’s not possible to provide all the necessary information at the same time, the information may be provided in phases without undue further delay, per article 33.

It’s not just about showing the results of the breach, however. Organizations should explain the data breach, including what security measures were already in place and how they plan to improve the process. This means conducting a postmortem analysis of the situation — a requirement under the GDPR.

After the conversation with the supervisory authority, organizations need to implement these adjustments. Security teams should develop a plan to update the incident response process and resume best practices for testing and updating the plan.

Learn more about GDPR and how IBM Security SOAR can help you respond to incidents faster

Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.

Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.

More from Incident Response

SOCs Spend 32% of the Day On Incidents That Pose No Threat

4 min read - When it comes to the first line of defense for any company, its Security Operations Center (SOC) is an essential component. A SOC is a dedicated team of professionals who monitor networks and systems for potential threats, provide analysis of detected issues and take the necessary actions to remediate any risks they uncover. Unfortunately, SOC members spend nearly one-third (32%) of their day investigating incidents that don't actually pose a real threat to the business according to a new report…

4 min read

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

Expert Insights on the X-Force Threat Intelligence Index

5 min read - Top insights are in from this year’s IBM Security X-Force Threat Intelligence Index, but what do they mean? Three IBM Security X-Force experts share their thoughts on the implications of the most pressing cybersecurity threats, and offer guidance for what organizations can do to better protect themselves. Moving Left of Boom: Early Backdoor Detection Andy Piazza, Global Head of Threat Intelligence at IBM Security X-Force, sat down with Security Intelligence to chat with us about the rise in the deployment…

5 min read