Intelligent CISO Issue 04 | Page 84

ORGANISATIONS NEED FASTER, MORE ACCURATE BREACH RESPONSE FOR GDPR COMPLIANCE New GDPR regulations require organisations to report a data breach within 72 hours, something which Barbara Kay, Senior Director of Security at ExtraHop, says might not be long enough for some. She talks to Intelligent CISO about some of the steps organisations need to take to ensure they are compliant. Barbara Kay, Senior Director of Security at ExtraHop T hree days isn’t a long time. For some, it certainly won’t be enough to delve into the cracks of a breached organisation, lift minute details from the wreckage and explain to the government and customers why, how and to whom it happened. Still, that’s the timeframe in which GDPR- compliant organisations will be expected to notify both regulators and the victims of a breach. The requirement can be found in GDPR’s Articles 33 and 34. The articles state that breached organisations must report to both the regulator and the data subject (the owner of that data) within 72 hours of the discovery of a breach. 84 Under those requirements, organisations are going to have to ‘describe the nature of the personal data breach’. That involves drawing out a number of fine details. These include: • How the breach happened • How many data records were taken • Whose they were; what the impact of that breach might be to them • How the breached organisation was using the exposed data • The forensic details of the breach • Any remediation or mitigation plans that they have in place And all of this will be done, the GDPR text states, ‘without undue delay’. There are only a few exceptions to these rules and compliant organisations will have to document their breaches in detail even if they don’t need to directly report them. A failure to report – or fulfil other GDPR obligations – could mean fines that run as high as 4% of global turnover. Most enterprises simply can’t monitor, detect, investigate or respond in the way that they need to effectively disclose within that 72-hour window. Issue 04 | www.intelligentciso.com