Incident Response Under GDPR: What to Do Before, During and After a Data Breach

The European Union (EU)’s General Data Protection Regulation (GDPR) is in full effect, but many organizations still don’t have the processes in place to be compliant. According to an IBM survey, only 36 percent of executives said they expect to be GDPR-compliant by the enforcement date.

For many organizations, one of the top challenges is complying with the GDPR’s tight 72-hour data breach notification window. To help organizations accelerate their incident response times and meet this deadline, we’ve outlined steps privacy teams can take before, during and after a data breach to help them comply with the GDPR and improve their overall privacy and security processes.

Before the Breach: Preparing Your Incident Response

Being prepared to follow the GDPR’s Article 33 instructions for reporting a data breach to your supervisory authority is just as important as acting quickly when the breach hits. Proper incident response planning and practice are essential for any privacy and security team, but the GDPR’s harsh penalties amplify the need to be prepared.

Developing a proven, consistent and repeatable incident response plan is critical for complying with the GDPR. This plan should include all steps that are needed in the event of a data breach and should be tested frequently to identify gaps.

During the Breach: Orchestration, Automation and Documentation

Once a data breach has been discovered, the GDPR’s Article 33 outlines the information that an organization must determine and document to stay compliant.

This includes:

• The nature of the breach, such as the number and types of data records and data subjects;
• Contact details for your data protection officer or similar point of contact;
• The likely consequences of the personal data breach; and
• Measures taken or proposed to be taken by the controller to address the personal data breach.

During this step, the organization should also document the effects of the breach and remedial actions taken. This information will be required by the supervisory authority after the breach, and preparing this proactively can save teams valuable time.

Additionally, organizations should seek ways to leverage orchestration and automation during this step to help accelerate response times and make their efforts more effective and efficient.

After the Breach: Notifying Authorities Within 72 Hours

At this point, the 72-hour clock to notify the supervisory authority has started. Organizations need to begin the conversation with them during this window and show all the data that has been collected. If it’s not possible to provide all the necessary information at the same time, the information may be provided in phases without undue further delay, per article 33.

It’s not just about showing the results of the breach, however. Organizations should explain the data breach, including what security measures were already in place and how they plan to improve the process. This means conducting a postmortem analysis of the situation — a requirement under the GDPR.

After the conversation with the supervisory authority, organizations need to implement these adjustments. Security teams should develop a plan to update the incident response process and resume best practices for testing and updating the plan.