How Does the GDPR Data Breach Notification Work?

The European Union General Data Protection Regulation (GDPR) is fundamentally changing the way organizations must approach their handling of customer data. One of the biggest shifts is the new 72-Hour Data Breach Notification requirement in GDPR, which completely alters the speed at which organizations much notify authorities and impacted customers in the event of a breach.

Mimecast Chief Trust Officer and Data Protection Officer Marc French sat down with TechTarget’s Mike Perkowski recently to discuss all things GDPR. What follows is a transcript of their discussion on the GDPR’s 72-Hour Data Breach Notification requirement.

Mike Perkowski: Tell us a little bit about who has to be notified in the event of a breach and what that means for organizations.

Marc French: So, this is a bit of a fundamental shift in how folks have done breach response up until today. So, historically what would happen in a typical breach is, you would think something is going wrong in your organization and you would do the investigation. At the point in time you would recognize that, “it’s probably an incident and I need to tell people,” you would begin the notification to authorities. So, the clock starts when you actually confirm.

With GDPR, it’s much different now. It’s the time that you become aware, and then the clock starts. So, if you think about a protracted investigation, something comes in, you look at it and say, “hmm, could be bad, I’ll set my analysts on it,” it could be two or three weeks before you actually confirm there’s been a breach. Now, the minute that comes in, and you say “hmm, something doesn’t seem right,” the clock starts. You have 72 hours to actually do the notification.

The notification happens in two fashions. One is, you have to notify the local supervisory authority in the country in which you operate. So, you may need to notify, say, the UK’s Information Commissioner’s Office if it happens in London or the Dutch Data Protection Authority, once that clock starts at 72 hours. From there, you’ll continue your investigation and depending on the nature of that investigation you may now need to fold into notifying the individual consumers or customers once you’ve actually confirmed it. So, it’s kind of two-steps.

It even gets a little more complicated in situations where you’re not the actual controller of the data, you’re processing someone else’s data, because collectively the two of you together have 72 hours. So, if I’m the processor for you, Mike, and I’m taking your data and performing some action on it and I find an issue, I don’t get 72 hours and I give it to you because you’re going to make the notification and you get 72 hours. Collectively, the two of us together have 72 hours, which means that for those of us that are in a business where we’re actually a processor, we’re actually going to have a tighter coupling with everybody that’s giving us their data because we need to work together on an incident breach notification now.

It’s not siloed, “I make a notification, now you do.” We’re now a much tighter partnership for this going forward.