How Can You Plan For and Respond to a Data Breach in Compliance with GDPR?
Ashley Slavik, Senior Counsel & Data Protection Officer, Veeva Systems Inc., and Dr. K Royal, TrustArc Privacy Expert, offer best practices, suggested tools, and tips for addressing GDPR Article 33 and Article 34.
Before discussing data breach requirements in depth, different notification requirements for Controllers and Processors should be noted first. Next, it’s necessary to understand the documentation requirements throughout the lifecycle of an event.
After a breach has occurred, there are various practical responses a company can use.
- Identifying a lead supervisory authority where your European headquarters are would be helpful, depending upon what makes the most legal sense for your company
- Do not call an incident a “breach” until the person with authority to make that determination has evaluated the incident
- Incident plans should accommodate all possible scenarios
- Do a simulation exercise, as suggested by Andrea Jelinek, Article 29 Data Protection Working Party (WP29) Chair
TrustArc offers GDPR Implementation assistance, such as building and testing a data breach incident response plan.
Our expert consultants can help create an effective response program, create customized incident response process flows, customize record keeping tools, develop a retention schedule and procedures for recording keeping, and go through a mock incident to test and refine the process.