It’s hard to believe we’ve almost reached the one-year anniversary of the date the General Data Protection Regulation (GDPR) went into effect. Leading up to that May 25, 2018 date, news headlines were dominated by fear, uncertainty and doubt over whether organizations would successfully comply in time.
Over the past year, we saw an endless stream of stories about companies getting slapped with fines for violating various regulations within GDPR. In fact, a recent report by DLA Piper found that there’s been almost 60,000 breaches reported over the past year and more than 90 fines imposed.
While GDPR has certainly raised a number of legitimate security and compliance concerns for organizations around the world doing business with EU citizens, it has also pushed them to improve data privacy efforts and strengthen their overall risk posture. And, with its one-year anniversary in sight, there’s no better time to shift the GDPR storyline from a tale of non-compliance, to one of security prowess.
In this light, here are three ways I believe U.S. organizations have greatly benefited from GDPR.
1. GDPR has prompted organizations to improve their incident response strategies
GDPR requires organizations to report a breach to the supervisory authority within 72 hours of discovery. And “reporting” the breach goes well beyond simply notifying authorities that it happened. Organizations must also include breach details, such as the nature of the breach, the approximate number of data subjects and personal data records affected, the possible consequences of the breach, and measures taken or proposed to address the breach.
Without an incident response plan and automated data collection and analysis technology, it’s nearly impossible for any company to meet this 72-hour deadline, which is why we’re seeing organizations take a hard look at their operational readiness to react to a breach.
Following this internal assessment, many companies are modernizing their incident response capabilities by doing things such as documenting an incident response plan, hiring a data protection officer, defining team members’ roles and responsibilities, deploying automated data collection and analysis technology, and implementing data protection impact assessments.
A strong incident response program is not only critical to meet GDPR’s 72-hour breach notification deadline, but it’s also instrumental in limiting the damage of an attack – which, in today’s cybersecurity landscape, can be just as valuable as preventing a breach in the first place.