The 3 Day Rule [Article 33]: [the GDPR Series (13)]

Summary: The 72-hour breach reporting requirement will require coordination between people, process & technology for success in the EU and abroad.

• Article 33 of the GDPR mandates reporting of breach within 72 hours. The Article puts the onus on the Data Protection Officer (DPO) to have full knowledge of the breach and report it within the deadline while coordinating with departments and processes.

• 72-hour deadline is a right step towards strengthening the privacy of citizens, but it also poses compliance challenges for organisations. Prioritising reporting might leave little time for organisations to fully comprehend the risks associated with breach that can lead to legal and reputational risks.

• Going forward, the development of new technology will play a vital role in preparing organisations to align their processes and comply with the deadline under the new framework.

Article excerpts from my forthcoming book – 99 Articles on the GDPR

Article 33 of the GDPR requires a mandatory 72-hour breach reporting requirement. In the event of a personal data breach, data controllers notify the appropriate supervisory authority “without undue delay and, where, feasible, not later than 72 hours after having become aware of it.” This strict timeline requires that the Data Protection Officer (DPO) have a comprehensive overview of a breach from the perspective of IT infrastructure security, breach detection, investigation and internal procedures.

credit: Imperva

As of 2018, the 72-hour breach requirement is no longer an E.U. regulation. On April 23, Senators Klobuchar and John Kennedy of Louisiana introduced the “Social Media Privacy Protection and Consumer Rights Act of 2018” (S. 2728), which would require “covered online platforms,” including public-facing websites, web applications, mobile applications, and email services, to provide notice of a data breach to affected users within 72 hours of learning that personal data about the users was inappropriately transmitted.

While Europe is aiming to strengthen personal data and privacy for its citizens, S.2728 is a step in the right direction to protect the U.S. citizen’s data. As E.U. Justice Commissioner Vera Jourova said in May when speaking about the GDPR: “privacy is much more than just a luxury. It is a necessity.”

However, to require an organization to report a personal data breach within 72 hours of learning is very challenging. No matter how many tabletop exercises and what type of process an organization may create, it’s easy to imagine a new, legitimate breach which an organization has never contemplated for yet will need to meet the requirements of Article 33. The mere act of compliance may cause confusion which may not only lead to a failure to comply but also decreased consumer confidence but legal and reputational risks for the company.

credit: Baseline Mag

According to the Baseline Magazine survey, confidence in truly having a comprehensive containment plan is quite low. There are many reasons for this, but it’s quite impossible for an organization to work with authorities and external parties to understand the breadth and depth of a possible incident through forensics. While there are technologies like Rocket Cloud by Digital DNA that cuts down parts of this process, it is a nearly impossible effort to go from breach to notification in 3 days.

The 72-hour breach requirement is an example of the intersection of people, process, and technology and will require perfect harmony in all facets to comply with the GDPR. While there is a need for people and a requirement for process, technology (specifically, identity, orchestration, and automation) will be needed to indeed comply with this new legal framework and protracted timeline.