What You Need to Know about GDPR Breach Disclosure, Response

By: Mark McGlenn | 3/1/2018

Incident response is a critical pillar of an effective endpoint security program, one that will gain importance as GDPR enforcement comes into play after May 25th. Organizations must be ready to react if and when an incident occurs in order to meet the stringent requirements that apply during an incident.

Under Articles 33 & 34 of General Data Protection Regulation (GDPR), a personal data breach must be disclosed to supervisory authorities and data subjects “without undue delay and, where feasible, not later than 72 hours” unless certain conditions are met. The current average discovery to notification timeframe is 29.1 days, so significant improvement is needed in order to comply with GDPR standards. For more information on another area where organizations also seek compliance clarification, security processing, see my earlier post.

Evidence of Active Risk Mitigation Measures

GDPR requires disclosure if an incident is “likely to result in a high risk” to the rights and freedoms of data subjects. In order to prove that an incident is not “high risk,” organizations must prove that “appropriate technical and organizational” protections are in place or that subsequent measures have been taken to ensure risks are not likely to materialize.

This GDPR article aims to move organizations toward privacy by design or default, meaning that data protection measures must be implemented across all data processing activities and that compliance be constantly monitored.

Demonstrating adequate measures are in place to mitigate privacy risks is just as critical as securing the data itself.

Although encryption is one technology that renders data unintelligible to those not authorized to access it, organizations must be able to demonstrate encryption and other security applications were in place and working at the time of an incident. Regulators can require that organizations provide proof of compliance and risk management strategies. This is only possible if you have full and unobstructed visibility over your entire device fleet and the data they contain.

Rapid Response to Security Incidents

In the event of a security incident, organizations can avoid breach notification requirements if they can render the personal data unintelligible or inaccessible. Once a security incident occurs, rapid remediation is required.

There are two important stages to response: identifying suspicious activity (vulnerability management) and breach response. The first stage helps organizations pre-empt security incidents through resilient insight into suspicious activity, helping identify events that may be precursors to security incidents. This stage relies on the efficacy of the security application layer, which can be bolstered by self-healing technology like Absolute's to ensure full application availability and integrity.

The second stage in response includes the effective implementation of the incident response (IR) plan. An IR plan will clearly define what constitutes an incident or a breach, these rules that apply in an incident, and the assets you have in play to respond and to investigate an incident. Organizations have relied on Absolute for years to remotely detect, recover and delete personally identifiable information from devices or in the cloud, a capability also required for GDPR’s ‘right to erasure,’ and to ensure data is not maintained for longer than ‘strictly necessary.’

Rapid forensic investigation of a security incident can be critical after the fact to figure out exactly what happened and how the incident occurred. For many organizations, outsourcing investigations to a trusted partner can help ensure that response capabilities remain within the critical 72-hour window. The experienced Absolute Investigations team, on call 24x7, have years of experience leading the response efforts in the event of a security incident, working with law enforcement and providing compliance reports.

For more on how Absolute can support your GDPR efforts across a variety of GDPR Articles, visit Absolute.com/GDPR.

The information in this blog post is provided for informational purposes only. The materials are general in nature; they are not offered as advice on a particular matter and should not be relied on as such. Use of this post does not constitute a legal contract or consulting relationship between Absolute and any person or entity.  Although every reasonable effort is made to present current and accurate information, Absolute makes no guarantees of any kind. Absolute reserves the right to change the content of this post at any time without prior notice.  Absolute is not responsible for any third party material that can be accessed through this post. The materials contained in this blog post are the copyrighted property of Absolute unless a separate copyright notice is placed on the material.

Financial Services