July 27, 2018 By Gant Redmon 3 min read

The European Union (EU)’s General Data Protection Regulation (GDPR) is in full effect, but many organizations still don’t have the processes in place to be compliant. According to an IBM survey, only 36 percent of executives said they expect to be GDPR-compliant by the enforcement date.

For many organizations, one of the top challenges is complying with the GDPR’s tight 72-hour data breach notification window. To help organizations accelerate their incident response times and meet this deadline, we’ve outlined steps privacy teams can take before, during and after a data breach to help them comply with the GDPR and improve their overall privacy and security processes.

Before the Breach: Preparing Your Incident Response

Being prepared to follow the GDPR’s Article 33 instructions for reporting a data breach to your supervisory authority is just as important as acting quickly when the breach hits. Proper incident response planning and practice are essential for any privacy and security team, but the GDPR’s harsh penalties amplify the need to be prepared.

Developing a proven, consistent and repeatable incident response plan is critical for complying with the GDPR. This plan should include all steps that are needed in the event of a data breach and should be tested frequently to identify gaps.

During the Breach: Orchestration, Automation and Documentation

Once a data breach has been discovered, the GDPR’s Article 33 outlines the information that an organization must determine and document to stay compliant.

This includes:

  • The nature of the breach, such as the number and types of data records and data subjects;
  • Contact details for your data protection officer or similar point of contact;
  • The likely consequences of the personal data breach; and
  • Measures taken or proposed to be taken by the controller to address the personal data breach.

During this step, the organization should also document the effects of the breach and remedial actions taken. This information will be required by the supervisory authority after the breach, and preparing this proactively can save teams valuable time.

Additionally, organizations should seek ways to leverage orchestration and automation during this step to help accelerate response times and make their efforts more effective and efficient.

After the Breach: Notifying Authorities Within 72 Hours

At this point, the 72-hour clock to notify the supervisory authority has started. Organizations need to begin the conversation with them during this window and show all the data that has been collected. If it’s not possible to provide all the necessary information at the same time, the information may be provided in phases without undue further delay, per article 33.

It’s not just about showing the results of the breach, however. Organizations should explain the data breach, including what security measures were already in place and how they plan to improve the process. This means conducting a postmortem analysis of the situation — a requirement under the GDPR.

After the conversation with the supervisory authority, organizations need to implement these adjustments. Security teams should develop a plan to update the incident response process and resume best practices for testing and updating the plan.

Learn more about GDPR and how IBM Security SOAR can help you respond to incidents faster

Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.

Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.

More from Incident Response

3 recommendations for adopting generative AI for cyber defense

3 min read - In the past eighteen months, generative AI (gen AI) has gone from being the source of jaw-dropping demos to a top strategic priority in nearly every industry. A majority of CEOs report feeling under pressure to invest in gen AI. Product teams are now scrambling to build gen AI into their solutions and services. The EU and US are beginning to put new regulatory frameworks in place to manage AI risks.Amid all this commotion, hackers and other cybercriminals are hardly…

What we can learn from the best collegiate cyber defenders

3 min read - This year marked the 19th season of the National Collegiate Cyber Defense Competition (NCCDC). For those unfamiliar, CCDC is a competition that puts student teams in charge of managing IT for a fictitious company as the network is undergoing a fundamental transformation. This year the challenge involved a common scenario: a merger. Ten finalist teams were tasked with managing IT infrastructure during this migrational period and, as an added bonus, the networks were simultaneously attacked by a group of red…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today