The way you prevented data breaches has changed forever.

The European Union General Data Protection Regulation (GDPR) is fundamentally changing the way organizations must approach their handling of customer data. One of the biggest shifts is the new 72-Hour Data Breach Notification requirement in GDPR, which completely alters the speed at which organizations much notify authorities and impacted customers in the event of a breach.

 

Mimecast Chief Trust Officer and Data Protection Officer Marc French sat down with TechTarget’s Mike Perkowski recently to discuss all things GDPR. What follows is a transcript of their discussion on the GDPR’s 72-Hour Data Breach Notification requirement.

Mike Perkowski: Tell us a little bit about who has to be notified in the event of a breach and what that means for organizations.

Marc French: So, this is a bit of a fundamental shift in how folks have done breach response up until today. So, historically what would happen in a typical breach is, you would think something is going wrong in your organization and you would do the investigation. At the point in time you would recognize that, “it’s probably an incident and I need to tell people,” you would begin the notification to authorities. So, the clock starts when you actually confirm.

With GDPR, it’s much different now. It’s the time that you become aware, and then the clock starts. So, if you think about a protracted investigation, something comes in, you look at it and say, “hmm, could be bad, I’ll set my analysts on it,” it could be two or three weeks before you actually confirm there’s been a breach. Now, the minute that comes in, and you say “hmm, something doesn’t seem right,” the clock starts. You have 72 hours to actually do the notification.

The notification happens in two fashions. One is, you have to notify the local supervisory authority in the country in which you operate. So, you may need to notify, say, the UK’s Information Commissioner’s Office if it happens in London or the Dutch Data Protection Authority, once that clock starts at 72 hours. From there, you’ll continue your investigation and depending on the nature of that investigation you may now need to fold into notifying the individual consumers or customers once you’ve actually confirmed it. So, it’s kind of two-steps.

It even gets a little more complicated in situations where you’re not the actual controller of the data, you’re processing someone else’s data, because collectively the two of you together have 72 hours. So, if I’m the processor for you, Mike, and I’m taking your data and performing some action on it and I find an issue, I don’t get 72 hours and I give it to you because you’re going to make the notification and you get 72 hours. Collectively, the two of us together have 72 hours, which means that for those of us that are in a business where we’re actually a processor, we’re actually going to have a tighter coupling with everybody that’s giving us their data because we need to work together on an incident breach notification now.

It’s not siloed, “I make a notification, now you do.” We’re now a much tighter partnership for this going forward.

You may also like:

Have You Done These 4 Things for GDPR Compliance?

The May 25th GDPR deadline is upon us. …

The May 25th GDPR deadline is upon us. In the last edition … Read More >

Dan Sloshberg

by Dan Sloshberg

Product Marketing Director

Posted May 17, 2018

How Confident Are You in Your GDPR Compliance Plan?

If you lack confidence in your GDPR plan…

If you lack confidence in your GDPR plan, you’re not alone. … Read More >

Dan Sloshberg

by Dan Sloshberg

Product Marketing Director

Posted May 10, 2018

GDPR: Security VS Privacy

Top 4 Tips for a Post-GDPR World This i…

Top 4 Tips for a Post-GDPR World This is the third installm… Read More >

Dan Sloshberg

by Dan Sloshberg

Product Marketing Director

Posted May 03, 2018