bluebay2014 - Fotolia
When does the clock start for GDPR data breach notification?
As new GDPR data breach notification rules go into effect, companies must be ready to move faster than before. Mimecast's Marc French explains what will change and how to cope.
With the European Union's new General Data Protection Regulation set to begin enforcement on May 25, every company that collects data about EU data subjects -- citizens or residents of any of the 28 member nations of the European Union -- needs to be ready to report on breaches of that data within 72 hours of a data breach.
However, even businesses with existing protocols for breach notification must take care, as the new rules for GDPR data breach notification speed up the process and require companies to move much faster than before to notify government agencies about potential breaches, as well as consumers whose data has been compromised.
Marc French, senior vice president, CTO and data protection officer for GDPR compliance at Mimecast, a cloud email security company headquartered in Lexington, Mass., explained how the timeline for notifying EU national data protection authorities about potential breaches, as well as consumers whose data may have been compromised, is changing under the new GDPR data breach notification rules.
French shares how the GDPR data breach notification rules will change the landscape for breach notification in general, and how businesses can prepare for it. Here is his answer:
Marc French: There is a whole set of legislation for 48 different states that talk about breach notification and the different timelines they need to deliver it. The key indicator or the key trigger there is when you actually know that a breach has occurred.
If you think about how a breach unfolds, an event comes in, they get some data, the internal security team starts doing some investigation, they do a bunch of triage, maybe they bring in Mandiant or CrowdStrike, and they do a bunch of reviews, and then they have this kind of huzzah moment that says, 'Yep, we had a data breach.'
And then the clock starts at that particular point. That could be a day, [or] it could be two weeks into the investigation, but there's generally some certainty that a breach has actually occurred. So they go, and the clock starts, and they start their breach notification process in every state in which they think there is an impacted party.
The challenge you have with GDPR [data breach notifications] is that that first foray starts much earlier. Instead of getting to that point where we determine there's a breach, they actually want you to notify the supervisory agencies as soon as you think there may have been a breach.
What will happen is that the clock starts on the day one event where something comes into the security operations center and they see an event that could possibly lead to the fact that my database has been exfiltrated in the organization -- not at the point in time where I confirmed it, so my 72-hour window starts almost on day one, not on week two in that first example.
So you've got that timing issue. A lot of folks are going to now be pressed to make these notifications much earlier in the time frame. The one nuance I would say is, for GDPR, it's notification to the supervisory organization, so it's the information commissioner in the United Kingdom instead of actual notification of the data subjects.
When you talk about the U.S. breach legislation, once you make that supervisory notification, [that's] the attorney general here in the Commonwealth [of Massachusetts], there is an expectation that you're already starting to formulate your notification to the data subjects that are impacted because you've confirmed it. It's not necessarily true for GDPR that you're doing that either at that point in time in that first 72 hours because you haven't confirmed it yet.
What they are asking you to do is notify data subjects at 72 hours. It's really accelerating that supervisory notification, but I think you still have that ability to make the data subject notification that actually is true to form in that it's actually representative of an actual breach in the environment.
It's going to force folks to move faster on the notification to the government, but it doesn't necessarily necessitate moving faster in the notification of data subjects.