There has been much talk about the threat of huge financial penalties when the EU General Data Protection Regulation, or GDPR, hits in May 2018. But another significant provision that organisations need to be thinking about before the new regulation comes into effect is the mandatory 72-hour breach reporting rule.
Article 33 states that “in the case of a personal data breach, data controllers shall without undue delay” notify the appropriate regulator of the breach. It also notes that this notification should happen no later than 72 hours after the breached party has become aware of the incident. This is the 72-hour breach notification law in a nutshell.
However, there are various uncertainties with the wording here, and readers with a legal background are likely to have questions.
First, what exactly constitutes “undue delay”? This may differ for data controllers versus data processors, for example. Under what circumstances would reporting a breach within this timeframe not be deemed “feasible”? This ambiguity is not accidental – the wording is vague in order to allow for many different eventualities.
It would not be a worthwhile exercise to go into depth on the intricacies of this wording, looking at what it may mean and how it may be interpreted. There is much out there on the topic already, for anyone interested in reading up on it further. But what’s clear is that this is likely to be crystallised further down the line, once regulators and courts have to apply the GDPR in practice.
For now, it’s important to ask what exactly this mandatory notification timeline means for an organisation. As it stands, many businesses do not have defined processes in place if a breach was to occur.
There are some simple points that organisations are still struggling with – for example, who should be notified internally? When and what do we tell customers? What is the process for contacting the regulator? Who is making sure the leak isn’t ongoing? And who owns these actions?
The GDPR looks to ensure a business is clear on its responsibilities if a breach occurs, but doesn’t answer the questions above. The company has to notify its national data protection regulator and all those affected where the “data breach is likely to result in a high risk to the(ir) rights and freedoms”. But in the early stages – perhaps within 72 hours of discovering the breach – it still may not be clear exactly who has been affected.
>See also: GDPR: What do you need to know?
Potential confusion around those affected can also create a culture of over-reporting, which can then lead to individuals building up an immunity to data breach notifications. As a consequence, people may not take the recommended steps to mitigate potential harm as they become overwhelmed with the frequent notifications they receive.
It is not easy to find out the ‘who, what, where, when, and how’ of a data breach within 72 hours. But all this information does need to be relayed to the regulator, so having thorough processes in place are a huge advantage here. The CISO needs to be heavily involved from the outset, while smaller businesses may outsource elements of their response to industry experts.
However, Article 34 contains some exceptions to this notification law. For example, one exception is for businesses that have implemented “appropriate technical and organisational protection measures”, such encryption. Article 34 does not go into detail about specific forms of encryption, but clearly organisations looking to comply with the GDPR should look to encrypt data as a sensible precaution.
There are also uncertainties about the differing approaches European regulators will take to enforce penalties on those that have breached the GDPR. Some regulators are very strict, while others focus more on cooperation and future training.
>See also: Benchmarking global readiness for the GDPR
It has been speculated that regulators may try to use one organisation as an example to others, hitting them with a huge fine to encourage other businesses to fall into line.
Organisations have just over a year before the GDPR comes into effect – on 25th May, 2018 – and it will be interesting to see exactly how the law will be interpreted when the time comes. If they’re to stand a chance of being compliant, they need to act now.
The 72-hour mandatory notification window is just one of several key challenges, which requires careful advanced planning if businesses are to comply in time.
It goes without saying that the number one priority should be for organisations to avoid data being breached altogether, but it’s vital that businesses plan for this eventuality.
Implementing a thorough data privacy regime, putting processes in place early on and implementing safeguards like encryption will absolutely help organisations on their way to compliance.
Sourced by Deema Freij, global privacy officer at Intralinks