Trillium Insights

Thoughts and Insights from Trillium's Practice Leaders

How do you respond to GDPR security incidents?

How do you respond to GDPR security incidents?

General Data Protection Regulation (GDPR) is the set of legal guidelines for the collection and processing of personal information by organizations within the European Union (EU.) GDPR also applies if personal data of an EU resident is maintained, regardless of where the organization is located, so it’s impacts are far-reaching. One of the tenets of GDPR relates to response and reporting of security incidents. Specific guidelines for organizations include:

  • Reporting breaches to supervising authorities within 72 hours of the incident’s occurrence
  • Following your organization’s documented procedures for handling GDPR security breaches
  • Following rules for notice to individuals in the event of a breach. Notice to individuals is not required if personal data is encrypted, high risks were already mitigated, or reporting would involve disproportionate effort. In that case, a public communication could suffice unless the supervising authority requires individual notice.
  • Showing proof that you followed the mitigation strategies you previously established
  • Demonstrating that you are establishing new or revised mitigation procedures to counteract for this specific breach

While the GDPR has rules related to incident management and reporting, specific procedures for addressing and reporting on breaches are not defined within the GDPR. However, failure to respond and report breaches can pose significant costs to your organization, including getting a warning, receiving a temporary or definitive ban on processing personal data, and/or being assessed fines of up to 4% of an organization’s global annual revenue, or EUR 20Million, whichever is greater. It is critical that you have a strategy in place for response and reporting on GDPR security incidents.

Trillium has significant experience in privacy, cybersecurity, as well as process and procedure mapping and implementation. We can assist your organization in determining your level of risk related to GDPR, whether your response and reporting procedures are adequate, and what your path forward should be.

How do you mitigate GDPR security incidents?

How do you mitigate GDPR security incidents?

General Data Protection Regulation (GDPR) is the legal set of guidelines for the collection and processing of personally identifying information (PII) by organizations within the European Union (EU.) GDPR also applies if the PII of an EU resident is maintained, regardless of where the organization is located, so it’s impacts are far-reaching. GDPR has rules related to incident management and reporting; therefore, it is critically important to be proactive and have a mitigation strategy in place since failure to report and respond to breaches can have a significant financial impact on the organization. How can your organization establish the proper processes to mitigate the risk of GDPR breaches before they occur? Below are some initial thoughts:

1. Using techniques such as information mapping, decision charts, and workflows or playbooks to track where personal data is maintained and determining the need to maintain such data

2. Having a repeatable, documented root cause analysis process in place so that the process can be used in the event of a breach

3. Ensuring the requisite controls and processes are in place, as well as repeatable and defensible, in the event of a breach. This includes following the National Institute of Standards and Technology (NIST) framework for cybersecurity to establish security processes. The framework consists of five (5) core functions that are applicable to GDPR, and which are generally addressed concurrently:

  • Identify - Develop an organizational understanding to manage the GDPR risks to systems, people, assets, data, and capabilities to prioritize and focus efforts. Categories within this function include Asset Management, Business Environment, Governance, Risk Assessment, and Risk Management Strategy, all of which would apply within GDPR response.
  • Protect – Develop and implement safeguards to protect delivery of critical services, to contain the impact of a cybersecurity breach. Categories within this function include Identity Management and Access Control, Awareness and Training, Data Security, Information Protection Processes and Procedures, Maintenance, and Protective Technology. These categories are critically important in GDPR compliance, and would include activities such as security assessments and action plans related to the outcomes of the assessments so that any gaps can be addressed.
  • Detect – Develop and implement appropriate activities to identify the occurrence of a GDPR cybersecurity breach, to enable timely discovery of a cybersecurity event. Categories within this function include Anomalies and Events, Security Continuous Monitoring, and Detection Processes.
  • Respond - Develop and implement an action plan regarding a cybersecurity incident, to contain its impact. Categories include Response Planning, Communications, Analysis, Mitigation, and Improvements. Communications and disclosure are specifically required by GDPR.
  • Recover – Develop and implement activities to maintain recovery plans for capabilities that were damaged due to a cybersecurity breach, including timely recovery to normal operations. Categories include Recovery Planning, Improvements, and Communications. Your organization’s ability to be GDPR-compliant rely on planning and continuous improvements to your infrastructure.

4. Maintaining structured records of your organization’s compliance and mitigation to demonstrate it to regulators if necessary

Trillium has significant experience in privacy, cybersecurity, procedure mapping, and implementation, including NIST processes. We can assist your organization in determining your level of risk related to GDPR, whether your response and reporting procedures are adequate, and what your path forward should be.