Procurement 3 May 2018

Could your company detect a data breach before the GDPR hourglass empties?

data breach GDPR
Once detected, you only have 72 hours to inform regulatory authorities about a GDPR data breach
Writing for Business Advice ahead of new data protection laws, Richard Agnew, UK and Northern Europe vice president at cloud platform?Code42, offers company owners a guide for responding to a data breach and avoiding a GDPR fine.

Imagine this: Your IT team informs you that a data breach has been detected, exposing the personal data of clients, prospects and indeed anyone who has submitted information through your website. Terrifying for any organisation, right?

Once detected, you only have 72 hours to inform regulatory authorities about the breach, and they’re going to want to know all the who, what, when and where? details about the exposed data.

This is the reality facing companies under the European Union’s General Data Protection Regulation (GDPR). From the moment a data vulnerability that exposes the personal data of a EU citizen is discovered, those precious seconds start ticking away.

To facilitate GDPR compliance, organisations that process or hold personal data of EU citizens need a comprehensive incident response plan. They also need technology that can rapidly identify what information was exposed. With a swift response protocol, the right team and visibility over data, dealing with security incidents in a compliant manner should be achievable.

But one question remains. How should companies structure their incident response policies to ensure GDPR compliance When executed correctly, the following five steps can help your organisation respond to a breach and avoid fines.

  1. Sound the alarm

IT security professionals within your business are alerted by the security solutions they have in place to the potential compromise of personal data. Ideally, the security solution should be a multi-layered stack comprised of a data loss protection tool (DLP), cloud access security broker (CASB) and an endpoint detection and response tool (EDR).

But, absolutely essential is a solution that can quickly flag unusual data traffic and send an automated alert to IT. Under the GDPR, ignorance of a data breach is not a get-out-of-jail-free card. Therefore, visibility of data across all endpoints is crucial.

  1. The 72-hour countdown begins

Your IT team examines the breach notification. If personal data of EU citizens has been compromised, the hourglass is overturned, and you have 72 hours to inform the GDPR regulatory authority. However, if personal information was not exposed, there is no need to inform the regulatory authority and you can correct the issue within the confines of your organisation.?

  1. Hyper awareness of data content

Your security team identifies the content of the exfiltrated data. If it is found to contain personal information of EU citizens, then it is time to take action and respond. You need to establish the extent of the breach and take steps to limit the damage.

Having a comprehensive data visibility tool in place makes it far easier and faster to determine whether the breach involves regulated data, and can prevent unnecessarily informing the authorities if regulated data was not involved.

  1. Covering all the bases

If personal data has been compromised, your company needs to escalate measures beyond the initial response team to include an interdepartmental group. The legal department, PR personnel, risk owners and asset owners should be involved.

An incident post-mortem will be conducted by your Data Protection Officer (DPO) the person responsible for liaising with regulatory officials. Under the GDPR, most companies are required to have an elected DPO, either as a standalone position or as part of someone’s existing duties.

  1. Informing the authorities

Following breach identification, your DPO will notify GDPR regulators of the incident and the compliance investigation process will begin. The investigation will be undertaken by a regulatory board based on your company’s region or country of origin.



HR & Employment