Trillium Insights

Thoughts and Insights from Trillium's Practice Leaders

How do you respond to GDPR security incidents?

How do you respond to GDPR security incidents?

General Data Protection Regulation (GDPR) is the set of legal guidelines for the collection and processing of personal information by organizations within the European Union (EU.) GDPR also applies if personal data of an EU resident is maintained, regardless of where the organization is located, so it’s impacts are far-reaching. One of the tenets of GDPR relates to response and reporting of security incidents. Specific guidelines for organizations include:

  • Reporting breaches to supervising authorities within 72 hours of the incident’s occurrence
  • Following your organization’s documented procedures for handling GDPR security breaches
  • Following rules for notice to individuals in the event of a breach. Notice to individuals is not required if personal data is encrypted, high risks were already mitigated, or reporting would involve disproportionate effort. In that case, a public communication could suffice unless the supervising authority requires individual notice.
  • Showing proof that you followed the mitigation strategies you previously established
  • Demonstrating that you are establishing new or revised mitigation procedures to counteract for this specific breach

While the GDPR has rules related to incident management and reporting, specific procedures for addressing and reporting on breaches are not defined within the GDPR. However, failure to respond and report breaches can pose significant costs to your organization, including getting a warning, receiving a temporary or definitive ban on processing personal data, and/or being assessed fines of up to 4% of an organization’s global annual revenue, or EUR 20Million, whichever is greater. It is critical that you have a strategy in place for response and reporting on GDPR security incidents.

Trillium has significant experience in privacy, cybersecurity, as well as process and procedure mapping and implementation. We can assist your organization in determining your level of risk related to GDPR, whether your response and reporting procedures are adequate, and what your path forward should be.