Notification vs. Remediation: Will the GDPR Transform Data Breach Response?
June 29, 2017
3 minute read
Most companies put a lot of time and money into preventing a data breach. But starting May 2018, a new European Union (EU) regulation will ensure companies place similar focus on the hours after a breach is discovered.
“The Data Breach Notification requirement will be a game-changer,” says Forrester.
The General Data Protection Regulation (GDPR) passed by the EU will require companies to notify authorities within 72 hours of identifying a breach. And you may think a European law won’t apply to your organization, but that’s not the case.
As Forrester states, “Every organization—regardless of its location—doing business with EU customers will need to make changes to its oversight, technology, processes, and people to comply with the new rules.”
In the U.S. today, the most strict U.S. breach notification law in place is California’s, which requires companies to notify the government and consumers no later than 15 business days after the breach.
Today, many companies, especially those that have created a multi-SaaS maelstrom of applications and data, aren’t equipped to meet the GDPR’s breach notification demands. And the regulation cannot be ignored. The penalty is too severe. Failure to notify the proper authorities after a breach occurs can result in fines up to 4% of annual global revenue or €20 million (whichever is greater).
The GDPR requires companies to provide in-depth details on a breach.
Here’s what’s required, according to Article 33 of the GDPR:
- Describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- Communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
- Describe the likely consequences of the personal data breach;
- Describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
All this in just 72 hours.
Download now: Protecting Google Drive Data: 5 Critical Requirements for Data Loss Prevention.
A New Balancing Act: Notification vs. Remediation
The GDPR breach notification introduces a lot of questions. For example, is it justifiable to delay a breach notification in order to prioritize remediation and prevent a problem from becoming worse? Will an organization get penalized for doing so?
Without proper technology in place (and practices in place), this new ruling may actually create bad habits and harmful breach response behavior as companies scramble to avoid penalties instead of immediately mitigating risks.
This is the latest balancing act for IT. How can a company notify authorities and remediate a breach within 72 hours? After all, three days isn’t a lot of time to perform a breach investigation, especially not when you’re trying to fix it as well.
Thankfully, multi-SaaS management and security vendors are emerging to help companies take the best approach: proactively prevent data breaches. Still, these same tools must be equipped to ensure IT can identify, audit, and remediate them within 72 hours.
However, SaaS is still a “new” technology and protecting the data that it creates and stores will remain a major topic of discussion for years to come. (Psst…join our #security channel in BetterIT. It’s home to more than 1,300 modern IT professionals.)
The GDPR Silver Lining: More Toys and Bigger Budgets
There is good news in all this. While GDPR presents a significant challenge, it’s actually a huge opportunity for IT.
Suddenly, a bigger IT budget is non-negotiable. Data protection is essentially a legal requirement. These “IT” expenses are now necessary operating costs of conducting business. The GDPR effectively lays out a case for a bigger IT budget.
Additionally, the new ruling is a potential career advancement opportunity. Companies will actively seek out cybersecurity specialists and IT professionals that understand how to remain compliant under the GDPR. If you’ve got the skill set, you’ve likely got the job.
If you haven’t already, you should talk with your team and executives immediately. The need to prevent, detect, remediate, and audit a SaaS-related data breach has never been more clear or urgent.
The law takes effect in less than a year.