What Is GDPR?

The European Union General Data Protection Regulation (GDPR), — described as “the most important change in data privacy regulation in 20 years” — becomes enforceable by law on May 25. After four years of preparation and debate, GDPR was approved by the EU Parliament in April 2016 to replace the Data Protection Directive 95/46/EC. According to the EUGDPR.org, the overarching purpose of GDPR is to “harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.” Organizations located within the EU that offer goods or services to, or monitor the behavior of, EU data subjects; and all companies processing and holding the personal data of data subjects residing within the region are expected to comply with the new regulations.

Notification Requirements under GDPR

Under GDPR, companies can expect supervisors and data subjects to receive accelerated notification timing within 72 hours that officials first become aware of a data breach. The chart below outlines these requirements:

GDPR flowchart showing notification requirements

Potential consequences for non-compliance with these GDPR notification requirements not only include hefty financial fines — up to €10 million or up to 2 percent of the total worldwide turnover of the preceding year — but also potentially significant impacts to brand reputation over the long term.

What Can Companies Do to Get Ready?

Gartner predicts only 50 percent of companies impacted by GDPR will be compliant by the end of 2018. So, what can organizations do to get ready?

Focus on Breach Prevention

  • Identify, assess and amend existing technical and organizational security measures (GDPR Article 32)
  • Review cyber insurance policies to ensure they sufficiently cover the costs of a data breach
  • For third-party vendors/processors:
    • Implement/amend existing due diligence procedures to cover data protection/security
    • Check existing contractual terms and incorporate new mandatory GDPR requirements, including specification of the mandatory breach-reporting obligation and specific security measures

Review and Enhance Your Plans

  • Review and update existing incident response and crisis communications plans to ensure they account for GDPR requirements
  • Develop protocols and processes to meet the 72-hour notification requirement

Educate and Equip Employees

  • Conduct board training/education session
  • Inform, train and educate employees about the new regulations and impacts on data handling and breach notification

Test and Train the Team 

  • Pressure test GDPR-related response protocols through a simulated exercise
  • Incorporate participation from core incident response team members, leaders and subject matter experts from EU markets, and external partners (e.g., legal counsel, IT forensics, crisis communications partners, notification mailing, call center and credit monitoring
  • Identify gaps and update/enhance incident response plans to address

Andy Liuzzi is an executive vice president, Crisis & Risk Management, Chicago.