Q
Problem solve Get help with specific problems with your technologies, process and projects.

When does the clock start for GDPR data breach notification?

As new GDPR data breach notification rules go into effect, companies must be ready to move faster than before. Mimecast's Marc French explains what will change and how to cope.

With the European Union's new General Data Protection Regulation set to begin enforcement on May 25, every company...

that collects data about EU data subjects -- citizens or residents of any of the 28 member nations of the European Union -- needs to be ready to report on breaches of that data within 72 hours of a data breach.

However, even businesses with existing protocols for breach notification must take care, as the new rules for GDPR data breach notification speed up the process and require companies to move much faster than before to notify government agencies about potential breaches, as well as consumers whose data has been compromised.

Marc French, senior vice president, CTO and data protection officer for GDPR compliance at Mimecast, a cloud email security company headquartered in Lexington, Mass., explained how the timeline for notifying EU national data protection authorities about potential breaches, as well as consumers whose data may have been compromised, is changing under the new GDPR data breach notification rules.

French shares how the GDPR data breach notification rules will change the landscape for breach notification in general, and how businesses can prepare for it. Here is his answer:

Marc French: There is a whole set of legislation for 48 different states that talk about breach notification and the different timelines they need to deliver it. The key indicator or the key trigger there is when you actually know that a breach has occurred.

Marc French, senior vice president, CTO and data protection officer for GDPR compliance at MimecastMarc French

If you think about how a breach unfolds, an event comes in, they get some data, the internal security team starts doing some investigation, they do a bunch of triage, maybe they bring in Mandiant or CrowdStrike, and they do a bunch of reviews, and then they have this kind of huzzah moment that says, 'Yep, we had a data breach.'

And then the clock starts at that particular point. That could be a day, [or] it could be two weeks into the investigation, but there's generally some certainty that a breach has actually occurred. So they go, and the clock starts, and they start their breach notification process in every state in which they think there is an impacted party.

The challenge you have with GDPR [data breach notifications] is that that first foray starts much earlier. Instead of getting to that point where we determine there's a breach, they actually want you to notify the supervisory agencies as soon as you think there may have been a breach.

What will happen is that the clock starts on the day one event where something comes into the security operations center and they see an event that could possibly lead to the fact that my database has been exfiltrated in the organization -- not at the point in time where I confirmed it, so my 72-hour window starts almost on day one, not on week two in that first example.

So you've got that timing issue. A lot of folks are going to now be pressed to make these notifications much earlier in the time frame. The one nuance I would say is, for GDPR, it's notification to the supervisory organization, so it's the information commissioner in the United Kingdom instead of actual notification of the data subjects.

When you talk about the U.S. breach legislation, once you make that supervisory notification, [that's] the attorney general here in the Commonwealth [of Massachusetts], there is an expectation that you're already starting to formulate your notification to the data subjects that are impacted because you've confirmed it. It's not necessarily true for GDPR that you're doing that either at that point in time in that first 72 hours because you haven't confirmed it yet.

What they are asking you to do is notify data subjects at 72 hours. It's really accelerating that supervisory notification, but I think you still have that ability to make the data subject notification that actually is true to form in that it's actually representative of an actual breach in the environment.

It's going to force folks to move faster on the notification to the government, but it doesn't necessarily necessitate moving faster in the notification of data subjects.

This was last published in March 2018

Dig Deeper on Data privacy issues and compliance

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What has your organization done to be ready to comply with the new GDPR breach notification rules?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close