July 27, 2018 By Gant Redmon 3 min read

The European Union (EU)’s General Data Protection Regulation (GDPR) is in full effect, but many organizations still don’t have the processes in place to be compliant. According to an IBM survey, only 36 percent of executives said they expect to be GDPR-compliant by the enforcement date.

For many organizations, one of the top challenges is complying with the GDPR’s tight 72-hour data breach notification window. To help organizations accelerate their incident response times and meet this deadline, we’ve outlined steps privacy teams can take before, during and after a data breach to help them comply with the GDPR and improve their overall privacy and security processes.

Before the Breach: Preparing Your Incident Response

Being prepared to follow the GDPR’s Article 33 instructions for reporting a data breach to your supervisory authority is just as important as acting quickly when the breach hits. Proper incident response planning and practice are essential for any privacy and security team, but the GDPR’s harsh penalties amplify the need to be prepared.

Developing a proven, consistent and repeatable incident response plan is critical for complying with the GDPR. This plan should include all steps that are needed in the event of a data breach and should be tested frequently to identify gaps.

During the Breach: Orchestration, Automation and Documentation

Once a data breach has been discovered, the GDPR’s Article 33 outlines the information that an organization must determine and document to stay compliant.

This includes:

  • The nature of the breach, such as the number and types of data records and data subjects;
  • Contact details for your data protection officer or similar point of contact;
  • The likely consequences of the personal data breach; and
  • Measures taken or proposed to be taken by the controller to address the personal data breach.

During this step, the organization should also document the effects of the breach and remedial actions taken. This information will be required by the supervisory authority after the breach, and preparing this proactively can save teams valuable time.

Additionally, organizations should seek ways to leverage orchestration and automation during this step to help accelerate response times and make their efforts more effective and efficient.

After the Breach: Notifying Authorities Within 72 Hours

At this point, the 72-hour clock to notify the supervisory authority has started. Organizations need to begin the conversation with them during this window and show all the data that has been collected. If it’s not possible to provide all the necessary information at the same time, the information may be provided in phases without undue further delay, per article 33.

It’s not just about showing the results of the breach, however. Organizations should explain the data breach, including what security measures were already in place and how they plan to improve the process. This means conducting a postmortem analysis of the situation — a requirement under the GDPR.

After the conversation with the supervisory authority, organizations need to implement these adjustments. Security teams should develop a plan to update the incident response process and resume best practices for testing and updating the plan.

Learn more about GDPR and how IBM Security SOAR can help you respond to incidents faster

Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.

Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.

More from Incident Response

Why federal agencies need a mission-centered cyber response

4 min read - Cybersecurity continues to be a top focus for government agencies with new cybersecurity requirements. Threats in recent years have crossed from the digital world to the physical and even involved critical infrastructure, such as the cyberattack on SolarWinds and the Colonial Pipeline ransomware attack. According to the IBM Cost of a Data Breach 2023 Report, a breach in the public sector, which includes government agencies, is up to $2.6 million from $2.07 million in 2022. Government agencies need to move…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything. But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today