GDPR Article 33: Planning and Response for the 72 Hour Window

By Addison Shaw: Responding to a data breach is a high-pressure situation, especially when you consider the EU’s newest privacy regulation, the General Data Protection Regulation (GDPR), and its requirements. If you and your organization fall under the scope of the GDPR, you need to know what your obligations per ...

By Addison Shaw:

Responding to a data breach is a high-pressure situation, especially when you consider the EU’s newest privacy regulation, the General Data Protection Regulation (GDPR), and its requirements. If you and your organization fall under the scope of the GDPR, you need to know what your obligations per the GDPR are.

The GDPR basics

Businesses all over the world are still figuring out the GDPR. Certain pieces of it still need interpretation, but you can get some of the known basics here. Overall, the GDPR is an opportunity to raise the bar for data management practices on a global scale and to build more trust between data collectors and data subjects.

Data controllers, data processors, and data breaches

The GDPR establishes two important distinctions: data controllers and data processors.

Data controllers start the data collection process, and their responsibilities reflect this:

  • Establishing the legal basis for collecting data
  • Defining the use and purpose of the collected data
  • Determining what data and whose data is collected
  • Data processors are much more hands-on with the data, and their responsibilities spell that out:
  • Determining how personal data is stored
  • Deciding which security practices are used to protect the stored data
  • Determining how data is deleted, disposed of, or produced at the request of a data subject

Article 4 of the GDPR defines a data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed.” When a breach happens, each party has another set of obligations to meet.

A data processor must notify their data controller as soon as possible if they’re hit. But data controllers have to do much more, including:

  • Notify their supervisory authority within 72 hours of discovery
  • Describe the breach, the number of involved data subjects, and the compromised data
  • Direct data subjects to where they can obtain more information
  • List the likely consequences of the breach
  • State the data controller’s plan for addressing the breach, as well as ways data subjects can mitigate the effects
  • Document the event

Beating the 72 hour window

Communication is the key to complying with the GDPR’s 72 hour data breach reporting window.

Continue reading the full post via Veoci.

Business Continuity, Enterprise Risk, Methodology / Metrics, Safety and Security

Sponsored Content

Webinars, Podcasts & Videos

Business Continuity Webinar

Did You Miss Our Latest Business Continuity Webinar?

It's not too late! You can still watch the “Business Continuity Exercise Planning and Facilitation Techniques To Start Now” video webinar.

facility resilience webinar

From Prevention To Action: The Role Of Facilities Management In Handling Emergencies And Maintenance

This free webinar on facility resilience will provide actionable strategies to safeguard assets, protect lives, and ensure operational continuity.

adaptive decision-making

Listen Now: Decision-Making During A Crisis

Robert C. Chandler, Ph.D, Founder and Principal of Emperiria discusses his research on adaptive decision-making in this podcast.

Receive the latest articles in your inbox

Share to...