When does the clock start for gdpr data breach notification database lock

However, even businesses with existing protocols for breach notification must take care, as the new rules for GDPR data breach notification speed up the process and require companies to move much faster than before to notify government agencies about potential breaches, as well as consumers whose data has been compromised.

Marc french , senior vice president, CTO and data protection officer for GDPR compliance at mimecast, a cloud email security company headquartered in lexington, mass., explained how the timeline for notifying EU national data protection authorities about potential breaches, as well as consumers whose data may have been compromised, is changing under the new GDPR data breach notification rules.Data breach

French shares how the GDPR data breach notification rules will change the landscape for breach notification in general, and how businesses can prepare for it.

Here is his answer:

If you think about how a breach unfolds, an event comes in, they get some data, the internal security team starts doing some investigation, they do a bunch of triage, maybe they bring in mandiant or crowdstrike, and they do a bunch of reviews, and then they have this kind of huzzah moment that says, ‘yep, we had a data breach.’

And then the clock starts at that particular point. That could be a day, [or] it could be two weeks into the investigation, but there’s generally some certainty that a breach has actually occurred.Breach notification so they go, and the clock starts, and they start their breach notification process in every state in which they think there is an impacted party.

The challenge you have with GDPR [data breach notifications] is that that first foray starts much earlier. Instead of getting to that point where we determine there’s a breach, they actually want you to notify the supervisory agencies as soon as you think there may have been a breach.

What will happen is that the clock starts on the day one event where something comes into the security operations center and they see an event that could possibly lead to the fact that my database has been exfiltrated in the organization — not at the point in time where I confirmed it, so my 72-hour window starts almost on day one, not on week two in that first example.Data breach notification

So you’ve got that timing issue. A lot of folks are going to now be pressed to make these notifications much earlier in the time frame. The one nuance I would say is, for GDPR, it’s notification to the supervisory organization, so it’s the information commissioner in the united kingdom instead of actual notification of the data subjects.

When you talk about the U.S. Breach legislation, once you make that supervisory notification, [that’s] the attorney general here in the commonwealth [of massachusetts], there is an expectation that you’re already starting to formulate your notification to the data subjects that are impacted because you’ve confirmed it.Data breach notification it’s not necessarily true for GDPR that you’re doing that either at that point in time in that first 72 hours because you haven’t confirmed it yet.

What they are asking you to do is notify data subjects at 72 hours. It’s really accelerating that supervisory notification, but I think you still have that ability to make the data subject notification that actually is true to form in that it’s actually representative of an actual breach in the environment.

It’s going to force folks to move faster on the notification to the government, but it doesn’t necessarily necessitate moving faster in the notification of data subjects.