Article 33 of the EU's General Data Protection Regulation (GDPR) stipulates that details of the breach of regulated data be reported to the regulator within 72 hours of becoming aware of the breach. Ovum's recent report, Ovum Market Radar: GDPR Data Breach Management and Reporting, finds that relatively few vendors currently offer enterprise-strength solutions to help meet this challenging obligation, but that demand is likely to reward these early-to-market players.
Data breach management and reporting must be established as an organizational capability
The requirement to inform regulators and possibly affected EU citizens formally, in addition to greatly increased potential noncompliance penalties, escalates the importance of handling breach reporting. Those penalties could be as high as 4% of global turnover or €20m ($22.8m), whichever is greater, but enterprises also have to consider impacts such as the erosion of citizens' trust in organizations when breaches become known, and the effect on corporate reputation and brand value (both of which are keenly felt at executive level).
Breaches have become all too common, with the UK Government's 2017 Cyber Security Breaches Survey indicating that 46% of businesses were aware of a breach or attack having occurred in the last year. There could be many and varied reasons for data breaches, including complex cybersecurity threats, or simple human errors such as the loss of a portable device. Unfortunately, the potential for breaches to arise continues to grow with the increased diversity of user behavior and systems environments (for example, cloud-based services and Internet of Things devices).
Ovum research indicates that GDPR is increasing risk awareness and driving security-related investments as a common high priority. While security protection is certainly worthy of close attention, we advise that organizations of all types should consider investing in a breach management and reporting capability to link together the many stakeholders that should contribute. Departments and personnel that may be involved include legal and compliance, HR, marketing and communication, and IT. It is particularly important that any third-party partners involved in the required action relating to the data breach are also aware of their responsibilities. A breach management and reporting solution enables the establishment of processes and approvals, collaboration, data management and integration, and standardized reporting that will be required to help organizations to meet these high-stakes GDPR obligations successfully.
Ovum Market Radar: GDPR Data Breach Management and Reporting, INT003-000284 (November 2018)
"The importance and breadth of GDPR obligations on data breach reporting should not be underestimated," INT003-000152 (March 2018)
Alan Rodger, Senior Analyst, Infrastructure Solutions