GDPR Notification Versus Remediation
One of the ‘rules’ under GDPR is somewhat of a stickler. Organizations are required to provide detailed information of a data breach within 72 hours. Currently in the US, California has the most stringent law that states 15 days. We like to drag our feet. Think about how many breaches have occurred, yet only come to light months later, if at all.
My first question is, how is any organization going to provide the following information in 72 hours? Although, if organizations were proactively managing content and knew what the heck was going on in their enterprises, they probably could do this.
According to Article 33 of the GDPR, organizations need to:
- Describe the nature of the personal data breach, including where possible the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned
- Communicate the name and contact details of the data protection officer or other contact point where more information can be obtained
- Describe the likely consequences of the personal data breach
- Describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Now my second question is, how can the data breach be remediated in 72 hours? The penalties are pretty steep if you can’t provide this information.
Our software can take care of the first two bullet points, as it is proactive, operates in real time, and can identify and protect any privacy or sensitive information exposures. As for the remaining bullet points, you’re on your own.
What would you say to the auditors in 72 hours?
Our webinars also address the topics explored in our blogs. Access all our webinar recordings and presentation slides at any time, from our website, in the Recorded Webinars area, via the Resources tab.