GDPR Incident Response Guidelines

Inside the who, what, why, and how of GDPR notification obligations

The European Union’s General Data Protection Regulation (GDPR) governs digital privacy for EU citizens. These trust-focused regulations went into effect in 2018, giving individuals unprecedented control over how organizations can collect and use their personal data.

General Data Protection Regulation (GDPR)

Automate GDPR obligations with the BreachRx platform

Tailor your incident response plan in minutes so you know exactly what to do by when and take the crisis out of your incident response

Who must adhere to GDPR?

Any company that might possibly collect or use data about EU citizens, regardless of the company’s location, must adhere to GDPR guidelines.

What information does GDPR cover?

Under GDPR, individuals have the right to understand what data will be or has already been collected about them, how that data will be used, and to request that data be deleted.

Why is GDPR compliance important?

Failure to comply with GDPR in any way, including how data is collected, used, or stored, can lead to a fine of up to 4% of a company’s annual global turnover.

GDPR also includes clear guidelines for incident response in cases like data breaches and errors. These cases lead to strict notification requirements companies must follow.

What’s Required Under GDPR Incident Response Guidelines

If any of those trigger events occur, companies must issue a notification under GDPR incident response guidelines.

Notifying the GDPR Supervisory Authority

Organizations must notify the appropriate GDPR supervisory authority within 72 hours after learning about the incident (or include reasons for a delay past that timeframe).

The notification should detail:

  • The incident, including the types and amount of data involved and the number of people associated with that data
  • Contact information for someone at the company who can share more details (this should usually be the Data Protection Officer, a role required by GDPR)
  • Likely consequences from the incident
  • Plans to address the incident and reduce any negative effects

If companies do not have all of this information at once, they can provide the details in phases, but the initial notification should still come in the 72 hour window.

Notifying Affected Individuals

If the incident creates a situation that puts the affected individuals at high risk, then organizations must also notify those people as soon as possible. These notifications should clearly describe the incident and the type of information compromised.

GDPR sets deadlines of “without undue delay” for these notifications, which some interpret as 72 hours (the timeline used in other parts of the regulation) while others believe this part of the regulation is more tolerant of a wider timeframe. Either way, organizations should not delay, as courts have ruled in prior judgements that the deadline is “not compatible with a time limit of several weeks or … several months”.

Organizations do not need to send these individual notifications if:

  1. The compromised data is protected in a way that renders it unusable to any attackers (for example, if it’s encrypted and therefore unreadable).
  2. The organization has already taken action that will reduce the fallout from the incident so that it no longer threatens individual safety or freedoms.
  3. There are too many individuals affected that notifying every one of them would become a big burden, in which case GDPR allows companies to make a public announcement that notifies all of the people on which they have data.

What puts affected individuals at high risk?

Any data that threatens individual freedom or safety by creating a social or economic disadvantage, such as:

  • Discrimination
  • Loss of confidentiality
  • Identity theft
  • Financial loss 

This includes confidential data and personally identifiable information (PII) like:

  • Name
  • Date of birth
  • Health records
  • Bank details

6 Types of Events That Can Trigger Notification Under GDPR

Many of the events that can trigger notification are types of data breaches, but organizational errors can also lead to incident response situations. The most common include:

ransomware

Ransomware

A ransomware attack is when a group installs malware on a computer that can steal information and hold it captive in exchange for money. Even if companies retrieve the data, it was still exposed to an unauthorized third party.

stolen-records

Data Theft

Any kind of data theft is a breach under GDPR. One of the most common types of data theft is exfiltration, which occurs when attackers gain unauthorized access to data and transfer it onto their own servers or devices.

alert

Improperly Sold Data

Improperly selling individuals’ personal information and data, whether it was an organizational effort or a rogue employee, qualifies as a data breach that requires notifications and for which the company is liable under GDPR.

open-lock

Mistakenly Exposed Data

Mistakenly sending information to the wrong person or sharing information in an insecure way (i.e. sending sensitive information on an improper, unencrypted channel) will trigger a GDPR notification.

tri-alert

Mistakenly Updated or Deleted Data

Mistakenly overriding information, deleting data, or introducing errors in any way counts as a data breach that requires notification under GDPR, even if the error stemmed from a mistake or incompetence.

data-theft

Stolen or Lost Physical Records

Physical data records that are stolen or lost qualify as a data breach under GDPR, since they might then fall into the wrong hands. So does any damage (e.g. flood, fire) to physical records if they are the sole copy of information.

Why Proactive Incident Response is so Important for GDPR

GDPR presents strict guidelines for data privacy, and over €158.5 million in fines has made clear the EU is serious about enforcing these regulations.

This situation makes it absolutely critical for any company that has data about EU citizens to closely monitor GDPR requirements and how they change over time. It also means organizations need a long-term breach response plan. Avoiding an incident altogether is important, but it’s a given that one will occur at some point, and that makes having an actionable, proactive incident response plan non-negotiable.

Supercharge your incident response strategy with the BreachRx platform

Stop using spreadsheets and documents to keep track of the tasks you need to accomplish during an incident response.