ORGANISATIONS
NEED FASTER, MORE
ACCURATE BREACH
RESPONSE FOR
GDPR COMPLIANCE
New GDPR regulations require organisations to report a
data breach within 72 hours, something which Barbara Kay,
Senior Director of Security at ExtraHop, says might not be
long enough for some. She talks to Intelligent CISO about
some of the steps organisations need to take to ensure
they are compliant.
Barbara Kay, Senior Director of Security
at ExtraHop
T
hree days isn’t
a long time.
For some, it
certainly won’t be
enough to delve
into the cracks
of a breached
organisation, lift minute details from
the wreckage and explain to the
government and customers why, how
and to whom it happened.
Still, that’s the timeframe in which GDPR-
compliant organisations will be expected
to notify both regulators and the victims
of a breach.
The requirement can be found in GDPR’s
Articles 33 and 34. The articles state
that breached organisations must report
to both the regulator and the data
subject (the owner of that data) within 72
hours of the discovery of a breach.
84
Under those requirements, organisations
are going to have to ‘describe the nature
of the personal data breach’. That
involves drawing out a number of fine
details. These include:
• How the breach happened
• How many data records were taken
• Whose they were; what the impact of
that breach might be to them
• How the breached organisation was
using the exposed data
• The forensic details of the breach
• Any remediation or mitigation plans
that they have in place
And all of this will be done, the GDPR
text states, ‘without undue delay’. There
are only a few exceptions to these
rules and compliant organisations will
have to document their breaches in
detail even if they don’t need to directly
report them.
A failure to report – or fulfil other GDPR
obligations – could mean fines that run
as high as 4% of global turnover.
Most enterprises
simply can’t monitor,
detect, investigate
or respond in
the way that they
need to effectively
disclose within that
72-hour window.
Issue 04
|
www.intelligentciso.com