Post an Incident involving personal data loss, compliance officers must report findings within 72 hours of discovery. The super successful TV thriller series “24” focused on a single day in a US government agent’s career, constantly reminding the audience that this was “the longest day” in his life as he overcame a series of seemingly insurmountable challenges.
“Events occur in real time,” agent Jack Bauer’s voiceover portentously announced at the start of each episode.
The EU’s General Data Protection Ruling which came into effect in May of this year (GDPR) means that legal departments, company compliance officers and information security officers (CISOs) may find themselves facing the “longest three days in their life” while attempting to comply with the EU’s rigid 72-hour deadline to make an accurate assessment of the incident, with supporting information relevant to the breach.
Legal executives may also find themselves in the firing line as they frequently have responsibility for all compliance issues. It is essential, therefore, that corporate legal departments are aware, not only of the legal responsibility of complying with the EU’s GDPR, but also of the technical aspects of damage limitation and data protection. Failure to provide post-incident evidence that the company had taken all reasonable precautions to prevent a breach and that, when one did occur, it took the correct steps to identify the source, remediate the issue, correctly assess the possible impact and notify affected individuals.
An event, “Managing Data Breaches Under UKGDPR” is taking place in London on Wednesday November 27, that will recreate the series of events from the perspective of different roles in the business, and attempting to make sense of sometimes conflicting information while ever-conscious of meeting the GDPR 72-hour deadline. It will show the procedures that can be put in place to cope with and manage the three days of massive pressure where the company must not only supply all information relevant to the breach to the Supervisory Authority, but also work urgently with 3rd parties, contact affected customers and manage the PR.
The event will open with security researcher and white-hat hacker Igor Yuklyanyuk giving a practical demonstration of a real-life hack, based on the one that cost British Airways (BA) a GDPR fine of £180m. Attendees will then be taken through the incident discovery and internal communications and action based on real-life experience, with a warts and all approach. Taking a step back the presenters will then discuss steps they can take to be better prepared for the future. There will be a panel for questions afterwards, and booths where you can get some hands-on experience with the tools used in the presentation. The following skills and procedures form the core of the event:
Aside from the recent swingeing fines imposed by the regulator on BA and Marriott, which was forced to pay a fine of £99m the day after the massive BA fine was announced, companies who have suffered a breach frequently suffer irreparable damage to customer and investor confidence. Just to add to the pressure over the three days, failure to convince the regulator that the company took every precaution in advance to prevent a breach, can also leave the CEO and senior executives facing personal prosecutions for professional negligence.
With such high stakes riding on the first crucial 72 hours after the breach, there is very little time to identify the precise source of the breach, carry out damage limitation and discover the full extent of theft and damage. Event organisers, GDPR compliance firm UKGDPR and data privacy compliance specialist , OneTrust, will present a step-by- step guide on how best to allocate time and resources in the critical first 72 hours of an incident.
Data Protection Impact Assessments (DPIA) are an essential, and often mandatory, process under the regulation. Attendees at Managing Data Breaches Under UKGDPR will receive a free copy of UKGDPR’s new handbook: “Running Successful DPIAs”.
Copyright © 2019 Legal IT Professionals. All Rights Reserved.