What are the GDPR Requirements?
The GDPR requirements aren’t as complicated as other frameworks because there’s room for flexibility. The 72-hour timeframe within which you must report a data breach to the DPA is a big undertaking for many organizations. You must know all of this data when you report your breach to the DPA - this means that you’ll likely need to do some technology solution shopping to shorten your detection, incident response, and recovery planning cycle.
GDPR will drastically change how you approach data. Not only must you, as an organization, notify each country’s representative that you sell to within three days of a breach, but you must also know the complete details of what citizens’ data was affected and how. The issue is that most people deal with breaches after the fact and bring in investigative teams to do meaningful work. It can take two months to figure out what happened after a breach - now it has to take a much shorter time to adequately report your findings to the DPA. Security teams will be affected radically by the GDPR because they have a set of processes and outside vendors that they use regularly. This regulation ultimately reengineers their processes. Companies are looking for new approaches, whether through tech or procedure, to align themselves with a shortened incident response and reporting time frame.
A breach involving “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed” must be reported. If the EU personal data that was exposed can cause “risk to the rights and freedoms” of EU data subjects - this includes credit card data and other sensitive personal identifiers - then the breach needs to be reported. Appointing a DPO, or Data Protection Officer, is critical to achieving GDPR compliance if you’re a company in the EU. Any company in the EU should have a DPO that talks to company representatives when an incident happens. In a sense, they are the crisis managers who also act as public faces of your company on customer data and how you handle the data you gather.
Another critical requirement is ensuring that customers or those whose data is stored in your systems can request to be forgotten or moved out of your system.