What is GDPR?
On the 25th May 2018 the European Union’s General Data Protection Regulation (GDPR) will come in to force, imposing stronger accountability responsibilities for any organisation holding personal data and much tougher controls on data security. Any organisation which handles data about EU citizens will be affected by these new regulations, even those not based in the EU itself. For the first time in history, data breach notifications are being embodied into European law. All qualifying organisations need to be familiar with these changes and adapt their policies, business structure and strategy accordingly.
Data Breach Definition
A data breach involves confidential data being shared, altered, stored or stolen by an unauthorised individual. This could involve PHI (personal health information), PII (personally identifiable information), intellectual property or trade secrets. A data breach also covers loss or unauthorised deletion by those authorised to hold the data.
Breach Notification Requirements
These new rules are incredibly complex, but one of the more rigorous aspects of GDPR is the data breach notification requirements. GDPR standardises the current data breach notification laws in the EU which differ greatly between member states. This will ensure that organisations are always on the lookout for the breaching of private data and will create a universal understanding of the steps necessary in this kind of incident.
GDPR obliges a data holder to notify the local data protection authority within 72 hours of a data breach’s discovery. For any notification sent after this 72-hour window, a written explanation is compulsory to outline the reasons for the delay. If documented correctly the Data Protection Authorities (DPA) could accept this situation without legal action, however this would be in exceptional circumstances. Another new regulation requires a controller to inform its client if they have been put at high risk due to the breach. If your notification is delayed without good cause or in any way unacceptable in accordance to regulations you could be issued a fine of 2% of your global turnover.
The breach detection scale is huge; ranging from a staff member realising they have disclosed sensitive data to an unauthorised audience, to security monitoring technology alerting you of a breach. These new rules mean organisations need to have the correct technologies and strategies ready for detection and response to a data breach. An efficient incident response plan is a critical component of GDPR compliance, and this is something that all organisations should be thinking about and preparing for now.
A Cyber Incident Response Plan (CIRP) is the formulation and certification of a company’s planning and preparation for a data breach. An efficient CIRP covers detection methods in all potential incidents, referencing both digital invasions and more circumstantial breaches such as a staff member leaving a client’s file on a train.
The fundamental elements of a strong CIRP is the understanding and awareness of potential threats and their impact to the organisation coupled with the subsequent controls necessary to mitigate the risk. Business impact mitigation, cyber insurance, media relations, crisis decision making, malicious attacks and distribution of roles are just a few components that good a CIRP should cover.
If you are looking to improve your CIRP before May 2018 you need to think about the composition of your organisation’s data, ensuring awareness of data storage locations is key to an efficient CIRP. Another top tip is running a test data breach exercise. By testing your CIRP you will be able to detect any issues or improvements necessary.
Strong security is soon going to be essential for the survival and expansion of a company. Not only will this help businesses make data protection a standard part of their business strategies, it will improve customer service and client-organisation relationships. Come May 2018, make sure you’re prepared for the change!