72-hour rule: Can you identify and report a data breach within 3 days?

Data Security Breach

used with permission from IBM Big Data & Analytics Hub
by Seth Dobrin

The 72-hour rule included in the European Union’s General Data Protection Regulation (GDPR) has become a major focus for businesses as they work towards compliance.

Article 33 states that breaches must be reported to the regulator within a 72-hour window of an organization becoming aware of it, and to the data subject “without undue delay” after businesses become aware of the breach.

What exactly constitutes “undue delay” will become clearer as the GDPR is applied in practice, but the thrust of the regulation is clear. The procedural implications for larger companies can seem overwhelming.

Adherence is within your grasp, as long as you have the policies, procedures, support, services and technology in place to enable an automated chain of events for responding to security breaches.

Countdown to GDPR compliance

Teams tasked with meeting GDPR commitments need a well-rehearsed incident-response plan in place, with clear and consistent processes and workflows. This prevents them from having to ask questions such as:

  • What kind of breach is this?
  • What data was touched?
  • Who should we notify internally?
  • What exactly do we tell customers and the regulator?
  • Who is handling the breach?
  • Who owns which actions?

The processes and workflows you set up should be tailored to work with the technological solutions you have in place. A GDPR partner should be able to help by offering step-by-step guides, interactive tools, simulations and drills to help you rehearse sequences of actions in the event of different types of data breaches.

Finding the right technology

Automation is one of the keys to meeting the GDPR’s data-breach response obligations. For larger companies, it can be an efficient way to respond successfully to data breaches.

Finding a good GDPR partner is a natural starting point. Informed by a data-security impact assessment, they can guide businesses along the road to compliance by formulating policies and rules that will help teams and the systems they use monitor, audit, record and provide alerts on any unauthorized activities related to personal data.

Then, in the event of a breach, incident response platforms provide tools that automate many of the required actions, such as starting a breach investigation, reporting to the relevant authorities, and opening lines of communication and workflows between the right areas of the business.

Security solutions are also available to enable organizations to process customer data-activity reports selected on a by-user, by-controller or by-application basis. These reports can be used to inform relevant parties of breaches, detailing who, where, when and how data was accessed.

These security tools aren’t only useful in the event of a breach. Their primary purpose is to prevent and protect, another important aspect of the GDPR. The regulation encourages businesses to provide a level of data protection that can address the risks they face. Data encryption, data minimization, and pseudonymization can be key technologies to help to mitigate data risks.

The security opportunity

Businesses with longstanding commitments to transparency, customer security and privacy may find the GDPR easier to adhere to than others. But the specific reporting timeframes are likely to require even the most conscientious of businesses to reassess their processes.

The GDPR is your chance to implement a structured, evolving data protection program that will enhance customer trust and loyalty, empower employees, and benefit the business for years to come.