Michael Walter, Protiviti Managing Director, and Pam Kamath, Protiviti Associate Director
Article 33 of the General Data Protection Regulation (GDPR) requires that the data controller notify the appropriate supervisory authority in the event of a personal data breach no later than 72 hours after becoming aware of it. Organizations appear to be taking this requirement to heart. The Information Commissioner’s Office (ICO), the UK’s data privacy watchdog and GDPR enforcer, received 1,750 breach reports in June 2018 – a number that far exceeds the 400 breaches on average reported in April and May.
This article explores personal data breaches and offers eight recommended actions organizations can use for responding to breaches within the 72 hours.