Toon is similarly unconcerned by a 72-hour mandatory security window, perhaps a surprise given most organizations have breaches unrecognized in networks for months at a time. Under GDPR, the "destruction, loss, alteration, unauthorized disclosure of, or access to" people's data must be reported to a country's regulator within the given timeframe. “Mandatory notification in 72 hours is clearly achievable. This isn't about a full diagnostic and report into what happened. This is the cursory notification to the regulator that something is afoot. Share what you know; your plan for further investigation and triage along with and anticipated timeline.”
Other experts have chimed into this effect, too. Burberry’s recently departed head of information security, John Meakin, suggested that speaking to the regulator is key for transparency and avoiding costly fines.
How do companies accelerate their GDPR initiatives?
Baines recommends that organizations work closely with the DPO and their teams. If they don’t have a DPO, CISOs and CIOs should be lobbying their board hard to introduce one on the basis that “data protection isn't and shouldn't be, the sole responsibility of an information security lead.”
Toon recommends organizations get some “validated and authentic” advice, and entrust a person or group of people to manage all aspects of GDPR, from delivering company-wide training to ensuring the supply chain is up-to-date (contract updates are recommended). At the heart of it, he says, is good data management. “Work out what personal data you have. Where it is? How did you get it? Get rid of it if you don’t need it,” he says, and adding a DPO could be considered good practice.
Verdian agrees that organizations must understand the type of data, its location, and how it is being used. This should then be compared versus regulation requirements. “You have to maintain this level of compliance throughout your organization. Embedding privacy-compliant thinking into projects and programs, using tools like a privacy impact assessment, to understand the risk of each activity.”