General Data Protection Regulation (GDPR) is the legal set of guidelines for the collection and processing of personal information by organizations within the European Union (EU.) GDPR also applies if personal data of an EU resident is maintained, regardless of where the organization is located, so it’s impacts are far-reaching. One of the tenets of GDPR relates to the management and reporting of security incidents. Specific rules and guidelines for companies include:
- Establishing documented procedures for handling security breaches
- Reporting breaches to supervising authorities within 72 hours of the incident’s occurrence
- Following rules for notice to individuals in the event of a breach. Notice to individuals is not required if personal data is encrypted, high risks were already mitigated, or reporting would involve disproportionate effort. In that case, a public communication could suffice unless the supervising authority requires individual notice.
While the GDPR has rules related to incident management and reporting as noted above, specific procedures for addressing and reporting on breaches are not defined within the GDPR. However, failure to respond and report breaches can pose significant costs to your organization, including getting a warning, receiving a temporary or definitive ban on processing personal data, and/or being assessed fines of up to 4% of an organization’s global annual revenue, or EUR 20Million, whichever is greater. How can your organization put together the processes to properly respond to GDPR breaches? Below are some initial thoughts:
- Creating a mitigation strategy so that any breach can be handled in a consistent manner
- Maintaining structured records of your organization’s compliance in the event you must demonstrate it to regulators
- Ensuring processes are repeatable and defensible in the event of a breach
- Using techniques such as information mapping, decision charts, and workflows or playbooks to track where personal data is maintained and determining the need to maintain such data
Trillium has significant experience in privacy, cybersecurity, as well as process and procedure mapping and implementation. We can assist your organization in determining your level of risk related to GDPR, whether your response and reporting procedures are adequate, and what your path forward should be.