This blog was originally published in the IBM Big Data & Analytics Hub on May 22, 2018.
In a series of blog posts, the ‘Coach’ offers recommendations on how to get businesses into shape so they can thrive in the new data era.
The 72-hour rule included in the European Union’s General Data Protection Regulation (GDPR) has become a major focus for businesses as they work towards compliance.
Article 33 states that breaches must be reported to the regulator within a 72-hour window of an organization becoming aware of it, and to the data subject “without undue delay” after businesses become aware of the breach.
What exactly constitutes “undue delay” will become clearer as the GDPR is applied in practice, but the thrust of the regulation is clear. The procedural implications for larger companies can seem overwhelming.
Adherence is within your grasp, as long as you have the policies, procedures, support, services and technology in place to enable an automated chain of events for responding to security breaches.
The coach’s take: “Responding to breaches in the right way can show customers how much you care about their data and, in turn, your relationship with them.”
Teams tasked with meeting GDPR commitments need a well-rehearsed incident-response plan in place, with clear and consistent processes and workflows. This prevents them from having to ask questions such as:
The processes and workflows you set up should be tailored to work with the technological solutions you have in place. A GDPR partner should be able to help by offering step-by-step guides, interactive tools, simulations and drills to help you rehearse sequences of actions in the event of different types of data breaches.
Automation is one of the keys to meeting the GDPR’s data-breach response obligations. For larger companies, it can be an efficient way to respond successfully to data breaches.
Finding a good GDPR partner is a natural starting point. Informed by a data-security impact assessment, they can guide businesses along the road to compliance by formulating policies and rules that will help teams and the systems they use monitor, audit, record and provide alerts on any unauthorized activities related to personal data.
Then, in the event of a breach, incident response platforms provide tools that automate many of the required actions, such as starting a breach investigation, reporting to the relevant authorities, and opening lines of communication and workflows between the right areas of the business.
The coach’s take: “Technology itself isn’t a GDPR panacea. It might be prudent to look for a technology partner that can offer guidance, advice and training, too.”
Security solutions are also available to enable organizations to process customer data-activity reports selected on a by-user, by-controller or by-application basis. These reports can be used to inform relevant parties of breaches, detailing who, where, when and how data was accessed.
These security tools aren’t only useful in the event of a breach. Their primary purpose is to prevent and protect, another important aspect of the GDPR. The regulation encourages businesses to provide a level of data protection that can address the risks they face. Data encryption, data minimization, and pseudonymization can be key technologies to help to mitigate data risks.
Businesses with longstanding commitments to transparency, customer security and privacy may find the GDPR easier to adhere to than others. But the specific reporting timeframes are likely to require even the most conscientious of businesses to reassess their processes.
The GDPR is your chance to implement a structured, evolving data protection program that will enhance customer trust and loyalty, empower employees, and benefit the business for years to come.
Start your compliance journey today!
Not a member? Join the community
Already a member? Sign in
Become a CGOC Member and have access to resources, white papers, surveys, proceedings, and practice tools such as the Information Economic Process Assessment Kit. CGOC Members receive first priority to regional CGOC executive meetings around the world.
Asterisks (*) indicate fields required for registration