The European Union’s General Data Protection Regulation goes into effect on May 25, 2018. Many U.S. and Canadian businesses have been working hard to meet the new GDPR guidelines., but it’s not clear if others have the technology in place to notify individuals that their data was breached within the required 72-hour period. This is one of the primary components of the 2018 GDPR. No matter how you look at it, three days can go by very quickly when it comes to sending out data-breach notifications, especially if you haven’t planned in advance.
Many U.S. and Canadian businesses, even large enterprises, don’t always plan ahead and, instead, operate in a reactionary mode. Security professionals in the U.S. and Canada are concerned–The mandatory 72-hour GDPR breach-notification period has them worried because they don’t think most businesses are prepared. The U.S. doesn’t have a national data-breach notification requirement. However, most states do require notification within 30 to 45 days. If businesses don’t comply, they will be fined 4% of their global revenue up to $20 million. Plus, the consumers whose data is breached can file class-action suits against them for noncompliance.
Experts know that the GDPR is something to take very seriously.
They believe that the regulators in the European Union will impose the largest fines they can and that they’ll make an example of organizations that lack compliance–and will do so within the first 90 days of the breach. This is much like the U.S. Health, and Human Services/Office of Civil Rights does with their “Wall of Shame” and HIPAA breaches of personally identifiable information (PII).
The GDPR requirements apply to any organization that does business in Europe and collects personally identifiable information on European citizens. It doesn’t only apply to large multi-national corporations; it applies to any business that has 250 or more employees. Smaller companies are typically exempt, except in the case where a data breach results in a risk to the rights and freedom of individuals, isn’t an occasional occurrence, or where the processing of data includes special categories like those relating to criminal offenses or convictions.
The 2018 GDPR replaces the old Data Protection Directive of 1995. The most recent GDPR breach notification requirement was enacted in April 2016. It set a higher compliance standard for data inventory, and a defined risk management process and mandatory notification to data protection authorities.
Breach notification is a huge endeavor and requires involvement from everyone inside an organization. In-house tech support and outsourced Technology Service Providers should have acquired a good understanding of the consequences a data breach causes and the data breach notification requirements for their organization. They must be prepared in advance to respond to security incidents.
Is your technology ready for the GDPR?
Smart CIOs and CEOs in the U.S. and Canada have been preparing for the GDPR for the last year. And many larger enterprises, especially those that regularly do business in the European Union, have seen this on the horizon for a while and have taken advantage of the two-year implementation period to seriously prepare for GDPR. These organizations are ready and won’t need to worry that they can’t meet the 72-hour notification deadline. Many U.S. financial organizations and banks are already prepared as they are accustomed to notifying regulators and customers, and they have the IT infrastructure in place to respond quickly. Plus, banks in the U.S. have been functioning under more stringent regulations since the 2007-2008 financial crisis–They’re already well prepared.
The following are steps your organization should take to prepare your technology for the GDPR.
If you have all these processes properly in place, you should be able to meet the GDPR breach notification 72-hour period. The organizations that have met most of the International Organization for Standardization information security requirements should also be ready for the new regulations.
Unfortunately, many organizations won’t do this, simply because they’re not educated about the new GDPR, or they’re so busy they don’t think they have the time to make it a priority. Some think that the GDPR doesn’t apply to them. And others who don’t undertake proactive technology methods, in general, simply “bury their heads in the sand.” These organizations have waited too long now to make the May 28th deadline. Hopefully, yours isn’t one of them.