The European Union’s General Data Protection Regulation (GDPR) came into effect last month with a mighty thud. This wide-ranging law requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within the European Union.
GDPR applies to all companies operating in Europe and all companies with a website or app that captures and processes the data of EU citizens. The complexity of GDPR is breathtaking. It consists of 99 articles that detail the rights of individuals and the obligations of companies.
Corporate failure to comply with the law can result in substantial fines: up to €20 million or 4 percent of a company’s global revenue, whichever is higher. Two pain points stand out: a requirement to notify EU authorities within 72 hours of a breach, and another to prove the company’s security approach is state-of-the-art.
Most US Companies are Not Ready
A slew of reports indicate that most US companies are woefully unprepared for GDPR. A recent survey by Spiceworks reveals that only 25 percent of US companies were compliant with the tough new law when it was enacted on May 25.
The findings also show that most US companies are not concerned about potential GDPR penalties, and, as a result, many are failing to make compliance a priority. However, about 20 percent of US respondents said the law will make it more difficult for their company to do business.
GDPR emphasizes transparency, security and accountability for data controllers. It introduces mandatory data protection impact assessments (DPIAs) for companies involved in high-risk processing. Examples of ‘high-risk’ are companies that deploy new technologies; engage in activities involving significant profiling of individuals; or do large-scale monitoring of a public area.
The law mandates that data processors establish formalized incident response procedures, create an internal breach notification process, communicate a personal data breach to the data subject without delay, notify the supervisory authority within 72 hours of a breach; and to be compliant or face fines.
Five Steps to Take Now
To prepare for a data breach under GDPR companies should implement the following immediately.
- Start with compliance: This involves working the legal department and/or an external auditing firm to assess whether the company is compliant with GDPR. Both data ‘controllers’, who determine how and why personal data is processed, and data ‘processors’ who act on behalf of controllers, must comply with GDPR.
- Establish GDPR playbooks: To gather evidence about a data breach and document it, companies need a streamlined process. Incident response and case management playbooks provide a pre-defined set of procedures, processes and workflows in the event of a breach.
- Create GDPR workflows: Customized workflows are required to respond swiftly to various incident types. They can prioritize tasks; assign duties to specific stakeholders; and formalize, enforce, and measure specific response steps. Centralizing these on a single platform for collaboration is recommended.
- Establish reporting capabilities: To satisfy data breach reporting and notification within GDPR’s 72 hour the time frame, the ability to gather, anonymize and share data from various sources is essential. Put in place automated procedures for preparing detailed reports based on incident and forensic data — and set-up mechanisms to quickly send breach notifications to affected customers.
- Be able to meet the 72-hour Notification Mandate: This is arguably one of GDPR’s toughest requirements. It imposes a three day deadline to detect and contain a breach, and fully report on the details while following strict protocols, including documenting the events and making sure the proper incident response and case management procedures have been followed. Routine assessments should be conducted to ensure the necessary processes and procedures are in place and stakeholders are trained and understand their responsibilities.
Data breach detection and response is never easy under any circumstances. GDPR has significantly raised the stakes by requiring more detailed documentation and an extremely short notification window. Preparation and planning today is the surest way to avoid the hefty fines and public scrutiny that’s in store for organizations that fail to comply with GDPR.
John Moran is senior product manager at DFLabs