72-hour rule: Can you identify and report a data breach within 3 days?
In a series of blog posts, the ‘Coach’ offers recommendations on how to get businesses into shape so they can thrive in the new data era.
The 72-hour rule included in the European Union’s General Data Protection Regulation (GDPR) has become a major focus for businesses as they work towards compliance.
Article 33 states that breaches must be reported to the regulator within a 72-hour window of an organization becoming aware of it, and to the data subject “without undue delay” after businesses become aware of the breach.
What exactly constitutes “undue delay” will become clearer as the GDPR is applied in practice, but the thrust of the regulation is clear. The procedural implications for larger companies can seem overwhelming.
Adherence is within your grasp, as long as you have the policies, procedures, support, services and technology in place to enable an automated chain of events for responding to security breaches.
Countdown to GDPR compliance
Teams tasked with meeting GDPR commitments need a well-rehearsed incident-response plan in place, with clear and consistent processes and workflows. This prevents them from having to ask questions such as:
- What kind of breach is this?
- What data was touched?
- Who should we notify internally?
- What exactly do we tell customers and the regulator?
- Who is handling the breach?
- Who owns which actions?
The processes and workflows you set up should be tailored to work with the technological solutions you have in place. A GDPR partner should be able to help by offering step-by-step guides, interactive tools, simulations and drills to help you rehearse sequences of actions in the event of different types of data breaches.
Finding the right technology
Automation is one of the keys to meeting the GDPR’s data-breach response obligations. For larger companies, it can be an efficient way to respond successfully to data breaches.
Finding a good GDPR partner is a natural starting point. Informed by a data-security impact assessment, they can guide businesses along the road to compliance by formulating policies and rules that will help teams and the systems they use monitor, audit, record and provide alerts on any unauthorized activities related to personal data.
Then, in the event of a breach, incident response platforms provide tools that automate many of the required actions, such as starting a breach investigation, reporting to the relevant authorities, and opening lines of communication and workflows between the right areas of the business.
Security solutions are also available to enable organizations to process customer data-activity reports selected on a by-user, by-controller or by-application basis. These reports can be used to inform relevant parties of breaches, detailing who, where, when and how data was accessed.
These security tools aren’t only useful in the event of a breach. Their primary purpose is to prevent and protect, another important aspect of the GDPR. The regulation encourages businesses to provide a level of data protection that can address the risks they face. Data encryption, data minimization, and pseudonymization can be key technologies to help to mitigate data risks.
The security opportunity
Businesses with longstanding commitments to transparency, customer security and privacy may find the GDPR easier to adhere to than others. But the specific reporting timeframes are likely to require even the most conscientious of businesses to reassess their processes.
The GDPR is your chance to implement a structured, evolving data protection program that will enhance customer trust and loyalty, empower employees, and benefit the business for years to come.
Test your GDPR knowledge:
For more from the “Coach” take a look at the rest of this GDPR series.
Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.