Since going into effect in May 2018, GDPR has caused quite a stir. In particular, professional services that use data capture solutions to collect a large amount of Personal Identifiable Data (PID) of their clients, such as those in the legal industry, have been under immense pressure to ensure compliance and avoid hefty penalties.
Most organizations are aware that in order to stay GDPR-compliant, they need to implement the necessary security measures to protect the privacy of the individuals who have provided their personal data. However, protecting such sensitive information is just part of the GDPR requirements. One of the top challenges for many organizations is to put in place a GDPR data breach response plan that complies with the tight 72-hour notification window.
GDPR Data Breach Response Plan: A Must-Have Procedural Guide To Handling Data Breaches
GDPR mandates that organizations must report a data breach within 72 hours of becoming aware of it. This tight timeline means you simply can't "make it up as you go." Instead, you need a well-designed response plan to guide your organization through every single step of the procedure so nothing falls through the crack.
Here are the key activities in a GDPR data breach response plan:
- Assemble an internal breach response team with representatives from customer care, executive leadership, HR, IT, legal, and public relations.
- Contact the appropriate external breach response partners, such as communication advisors, data breach resolution providers, forensics experts, and legal counsel.
- Create a data breach report that includes the following steps to demonstrate transparency, accountability, and the efforts in containing the data breach:
- A description of the incident
- The number of records compromised
- The possible consequences of the breach
- Contact information of the data protection officer
- Steps taken to address the breach, and
- The organization's plan for remediation.
- Document the effects of the breach and the steps that are taken to remedy the situation. Since this information will be required by the supervisory authority, you should carefully document the investigation and remedial processes to improve the accuracy and efficiency of the reporting procedure.
- Notify the supervisory authority within 72 hours of discovering the breach. Even though you may not have all the required information right away, it's important to start the dialogue with the authority and demonstrate that you have started collecting information about the breach and implementing security measures to remediate the situation.
- Conduct a postmortem analysis of the situation and implement any adjustment required by the supervisory authority. Based on the conversation with the authority, your security team should learn from the process, refine the procedure, and perform ongoing testing of the updated response plan.
Minimize Your Risk By Taking Control Of Your Data
While a comprehensive response plan to stay GDPR compliant is absolutely necessary, you should start with minimizing your risk exposure. After all, the best-case scenario is not needing to execute the breach response plan!
An ounce of prevention is worth a pound of cure -- take inventory of all your data estate and identify at-risk resources so you can plug the leak in your data security measures to prevent breaches and contain threats. See how DDC OS USA's RiskView can help your organization become GDPR compliant.