The Need for Speed: Why the 72-hour breach notification rule in GDPR is good for industry

The EU’s General Data Protection Regulation (GDPR) will force many changes in technology and processes when it comes into effect in May 2018.  We have heard extensively about how companies and other organizations will have to provide capabilities to:

  • Collect explicit consent for the use of PII per purpose
  • Allow users to revoke previously given consent
  • Allow users to export their data
  • Comply with users’ requests to delete the data you are storing about them
  • Provide an audit trail of consent actions

Software vendors are preparing, particularly those providing solutions for IAM, CIAM, ERP, CRM, PoS, etc., by building in these features if not currently available. These are necessary precursors for GDPR compliance.  However, end user organizations have other steps to take, and they should begin now.

GDPR mandates that, 72 hours after discovering a data breach, the responsible custodian, in many cases it will be the organization’s Data Protection Officer (DPO), must notify the Supervisory Authority (SA).  If EU persons’ data is found to have been exfiltrated, those users should also be notified. Organizations must begin preparing now how to execute notifications: define responsible personnel, draft the notifications, and plan for remediation.

Consider some recent estimated notification intervals for major data breaches in the US:

  • Equifax: 6 weeks to up to 4-5 months
  • Deloitte:  perhaps 6 months
  • SEC: up to 1 year
  • Yahoo: the latest revelations after the Verizon acquisition indicate up to 4 years for complete disclosure

The reasons data custodians need to be quick about breach notifications are very clear and very simple:

  • The sooner victims are notified, the sooner they can begin to remediate risks.  For example, Deloitte’s customers could have begun to assess which of their intellectual property assets were at risk and how to respond earlier.
  • Other affected entities can begin to react.  In the SEC case, the malefactors had plenty of time to misuse the information and manipulate stock prices and markets. 
  • Cleanup costs will be lower for the data custodian.  Selling stocks after breaches are discovered but prior to notification may be illegal in many jurisdictions.
  • It will be better for the data custodian’s reputation in the long run if they quickly disclose and fix the problems.  The erosion of Yahoo’s share price prior to purchase is clear evidence here.

Understandably, executives can be reticent in these matters.  But delays give the impression of apathy, incompetence, and even malicious intent on the part of executives by attempting to hide or cover up such events. Though GDPR is an EU regulation, it directly applies to other companies and organizations who host data on EU member nations’ citizens.  Even for those organizations not subject to GDPR, fast notification of data breaches is highly recommended. 


Discover KuppingerCole

KuppingerCole Select

Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.

Stay Connected

Blog

Spotlight

AI for the Future of your Business Learn more

AI for the Future of your Business

AI for the Future of your Business: Effective, Safe, Secure & Ethical Everything we admire, love, need to survive, and that brings us further in creating a better future with a human face is and will be a result of intelligence. Synthesizing and amplifying our human intelligence have therefore the potential of leading us into a new era of prosperity like we have not seen before, if we succeed keeping AI Safe, Secure and Ethical. Since the very beginning of industrialization, and even before, we have been striving at structuring our work in a way that it becomes accessible for [...]

Latest Insights

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00