The EU’s General Data Protection Regulation (GDPR) went into effect May 25th, and it brings a few challenges organizations impacted by the regulation need to be ready to address. When an organization suffers a security incident that falls within the scope of the GDPR, a response may be required. How the organization will need to respond depends on the magnitude of the incident. For the purposes of discussion, we will assume a response is required to the regional official, the Supervisory Authority, or SA.
An organization must notify the Supervisory Authority if a personal data breach is likely to result in risk to the rights and freedoms of individuals. If the breach is likely to affect the rights and freedoms of individuals, those individuals must be notified directly along with the Supervisory Authority.
One challenge presented by the GDPR is the speed at which the Supervisory Authority must be notified. The SAs must be notified within 72 hours of the organization becoming aware of the breach. That may sound like plenty of time – it is three days, after all – but for anything other than a very minor incident, three days is a brief moment to gather information and determine the extent of the impact.
Though breach notifications are not new, as most US states have a notification requirement, the brief time required by the GDPR may catch some companies by surprise. I will address the information that needs to be communicated to the Supervisory Authority in a future blog post.
The second challenge surrounds the way the GDPR views an incident. Traditional incident response activities are often triggered by events that include unauthorized access and data loss or theft. The intent may or may not be known, and until a determination is made, the response generally proceeds as if the events are the result of an actor with malicious intent.
After the intent has been determined, the incident may be re-categorized based on an organization’s policies. The GDPR expands and standardizes the definition of an incident to include the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data.
The third challenge is an extension of the second challenge. Is the organization prepared for the type of detection and the response activity required by the GDPR’s definition of an incident? Organizations should review their existing logging strategy and be prepared to make changes. As an example of a logging strategy that may need a refresh to satisfy GDPR, if an organization only logs failure events, is that sufficient to support incidents involving accidents?
Many organizations may take a wait-and-see approach before making decisions regarding their GDPR strategy. There are certainly business cases that can be made to support varying strategies. Developing a business case requires some consideration of risks, and the GDPR delivers in this area in the form of fines leveled at the discretion of the Supervisory Authority.
The Supervisory Authority can, depending on the severity of the incident, level of a fine against an organization of 20 million Euros or 4% of the organization’s global revenue, whichever results in the greater amount.
If an organization fails to report an incident that should have been reported, in addition to the fine just mentioned, the Supervisory Authority can bring a fine of 10 million Euros or 2% of global revenue. Looking for guidance on the GDPR? Check out our quick guide for organizations here.