Do 72 Hours Really Matter? Data Breach Notifications in EU GDPR
On January 23, South Dakota’s Senate Judiciary Committee voted unanimously to approve Senate Bill No. 62, which will require organizations and individuals to notify South Dakotans whose personally identifiable information (PII) was, or is believed to have been, exposed to and accessed by unauthorized parties. It will require businesses to notify affected South Dakotans within 60 days of a data breach’s discovery, with penalties of up to US$10,000 per day per violation.
With data breaches increasingly coming to the threat landscape’s fore, the way organizations inform affected individuals is as vital as the methods used to secure personal data. But with over 48 notification laws in the U.S. alone, it's beginning to sound like a powder keg of confusion. In the U.S., Florida has the shortest breach notification timeline at 30 days. The European Union’s (EU) General Data Protection Regulation (GDPR), however, provides a data breach notification law that’ll rule them all.
[READ: What organizations need to know about the EU General Data Protection Regulation (GDPR)]
The EU GDPR will require organizations faster turnarounds, stricter risk assessments, and heftier penalties. From Article 33 of the GDPR:
“In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.”
Notifications become a race against the clock as soon as the organization’s IT/information security staff and system administrators determine, with prudent certainty, that there’s been a data breach. Under the GDPR, the affected organization must alert the local supervisory authority, or the country’s data protection authority. In the U.K., for instance, the organization must notify the Information Commissioner’s Office (ICO).
Affected organizations must also report to supervising authorities the nature of the breach, including the number of PII involved. They must also provide communication channels via a designated data protection officer, specify the potential impact, and spell out how the company responded to the incident. Failure to comply can entail penalties of as much as €20 million, or 4% of a business’ global revenue, whichever is higher.
[READ: Protection, detection, response: State-of-the-art security for your business’ GDPR strategy]
The EU GDPR is indeed a game changer. Preventing and responding to data breaches entail a holistic effort from everyone in the organization, from IT, legal, and operations to upper management. And some are already gearing up ahead of the GDPR’s implementation on May 25. Facebook, for instance, just overhauled its “privacy principles” to be GDPR-compliant and protect its user base of over 2 billion. Technology firms Google and Amazon, too, are polishing their privacy policies and fine-tuning their technologies to better secure the data they store and process.
For businesses falling under the GDPR’s purview, compliance involves arraying defenses at each level of the infrastructure handling personal data — from the network's physical perimeter to the online gateways, endpoints, networks, and servers. For starters, EU’s own European Commission has a set of guidelines on the GDPR’s data breach notification that can help organizations streamline their strategies.
Trend Micro solutions, powered by XGen™ security, deliver state-of-the-art security capabilities that can be used to help address GDPR compliance. Trend Micro™ XGen™ security provides a cross-generational blend of threat defense techniques against a full range of threats for data centers, cloud environments, networks, and endpoints. It features high-fidelity machine learning to secure the gateway and endpoint data and applications, and protects physical, virtual, and cloud workloads. With capabilities like web/URL filtering, behavioral analysis, and custom sandboxing, XGen protects against today’s purpose-built threats that bypass traditional controls and exploit known, unknown, or undisclosed vulnerabilities. Smart, optimized, and connected, XGen powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.
For further guidance on the GDPR and state-of-the-art cybersecurity solutions, download our whitepaper, “Solving the GDPR Puzzle: Data Protection with State-of-the-Art Cybersecurity.”
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.