GDPR's Impact on Incident Response

Beyond user privacy, we’ve seen GDPR impact companies in other ways.

May 25, 2019 will mark the one-year anniversary of the date the General Data Protection Regulation (GDPR) went into effect. As the most far-reaching data privacy regulation ever, GDPR has certainly made an impact on companies around the world – forcing them to up their game when it comes to protecting the personal data of European Union (EU) citizens. 

But, beyond user privacy, we’ve seen GDPR impact companies in other ways too. One of the most important, from my perspective, is the effect it’s had on incident response. 

The 72-Hour Window

Article 33 of GDPR specifies that organizations must report a breach to the supervisory authority within 72 hours of detection. In the world of cybersecurity, 72 hours is no time at all. And if this alone isn’t stressful enough, there’s more: It’s not sufficient to simply report the breach; companies must include information detailing the nature of the breach, the approximate number of data subjects and personal data records impacted, the likely consequences of the breach, and measures taken or proposed to address the breach and its negative effects.

Without a pre-defined incident response plan and the right technology, people and processes in place, meeting this 72-hour window is impossible. Weeks, months, or even years is a more accurate timeframe. But as unrealistic as 72 hours might seem, failing to meet this deadline can result in heavy fines, loss of consumer trust and a damaged reputation. Rather than risk severe penalties such as these, organizations are reassessing their operational readiness to detect and respond to a breach, so they can make the 72-hour window an achievable goal.

Here’s a look at some of the most effective ways companies have revamped their incident response programs over the past year to meet GDPR’s stringent breach notification regulation: 

Technology: Implementing network visibility, policy orchestration, and data collection and analysis technology 

The only way organizations can provide the level of detail into a breach specified by GDPR is by having the right technology in place. And it all starts with visibility – because you can’t protect (or get information about) an asset if you don’t’ know it’s there.  

This is why many organizations are implementing network infrastructure monitoring technology that provides complete network visibility into data at rest, data in transit, and data in process.  But it doesn’t stop there, visibility must be sustained for all assets residing across each computing environment (on-premise, virtual, hybrid-cloud, multi-cloud, etc.). 

Once companies have an accurate understanding of the endpoints, data, and other resources living on their networks, they can create the proper zones of control, bringing each under the right network policies and access rules with automated policy orchestration. Policy orchestration helps security teams achieve continuous security and compliance with regulations like GDPR, because it enforces appropriate access rights for all corporate assets. In the event of non-compliance, policy orchestration technology makes it easier for security teams to identify where the violation occurred. Remember, as it relates to GDPR, identification, classification and protection of personally identifiable information is paramount to compliance. 

Last, but certainly not least, to meet the 72-hour breach notification deadline, companies must have technology that automates data collection and analysis. This capability is important, because, in the event of a breach, security teams must be able to quickly obtain the answers the supervisory authority requires, including how the breach happened, its duration, who it affected, the damage it caused, etc.

In today’s dynamic IT infrastructures, trying to derive these answers manually is impossible, period … never mind doing so within 72-hours. With the right technology automating these processes, though, security teams can get the information they need almost instantly.  

People: Assembling an incident response team

When it comes to incident response, there are a lot of moving parts – from performing data collection, investigation and analytics processes, to mitigating damage, to communicating to the data protection officer (DPO) and other relevant parties. That’s why it’s a good idea to assemble a breach response team beforean incident occurs. Clearly define each member’s roles and responsibilities, so they can immediately jump into action in the event of a breach. Not only will this help with GDPR breach notification requirements, but it will also help limit the negative effects of a breach.

Processes: Implementing data protection impact assessments

Data protection impact assessments are an important part of GDPR; data controllers are required to perform assessments to identify risks to user data before beginning data processing activities. But conducting post-breach impact assessments is also important, because they allow the incident response team to determine if other information is at risk, from either a security or compliance perspective. Developing these post-breach impact assessments early on and having them at the ready can help response teams execute them quickly following a breach to prevent other system attacks and network compromises. 

GDPR Strengthens Incident Response

In today’s cybersecurity landscape, it’s no longer a matter of “if” a company gets breached, but “when.” Limiting the damage of a breach is the next best alternative to preventing a breach in the first place, and an effective incident response strategy allows companies to do just this. 

While strong incident response is certainly not the primary purpose of GDPR, it sure is a nice bi-product of the legislation – one that allows organizations to not only meet the 72-hour breach notification deadline, but to contain damage and mitigate additional risk in the process.


  • Maximizing Your Security Budget This Year

    7 Ways You Can Secure a High-Traffic Commercial Security Gate  

    Your commercial security gate is one of your most powerful tools to keep thieves off your property. Without a security gate, your commercial perimeter security plan is all for nothing. Read Now

  • Making Safety and Security Intrinsic to School Design

    Public anxieties about school safety are escalating across the country. According to a 2023 Gallup report, 44% of parents fear for their child’s physical safety at school, a 10 percentage-point increase since 2019. Unfortunately, these fears are likely to increase if the incidence of school tragedies continues to mount. As a result, school leaders are now charged with two non-negotiable responsibilities. The first, as always, is to ensure kids have what they need to learn, grow, and thrive. Sadly, their second responsibility is to keep the children in their care safe from threats and physical danger. Read Now

  • The Power of a Layered Approach to Safety

    In a perfect world, every school would have an unlimited budget to help secure their schools. In reality, schools must prioritize what budget they have while navigating the complexities surrounding school security and lockdown. Read Now

  • How a Security System Can Enhance Arena Safety and the Fan Experience

    Ensuring guests have both a memorable experience and a safe one is no small feat for your physical security team. Stadiums, ballparks, arenas, and other large event venues are increasingly leveraging new technologies to transform the fan experience and maintain a high level of security. The goal is to preserve the integrity and excitement of the event while enhancing security and remaining “behind the scenes.” Read Now

Featured Cybersecurity


New Products

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure. 3

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening. 3

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions. 3