GDPR and security: balancing crisis and reputation management

Share this post:

A recent survey by Hurwitz & Associates shows that a surprising number of companies are not yet prepared for GDPR-related financial and reputational risks. Those findings are remarkable. Of course security is nothing new: there are already existing laws on data protection and in essence it is not unreasonable for people to expect that organizations take every precaution to safeguard the sensitive personal information that is entrusted to them.

In the past, it was possible to choose how to handle breach. Once GDPR is here, active communication will be the only option, and you may incur potential fines for breach, as well as risk harm to your company’s reputation. In the Netherlands, we have made a head start on implementing this new legislation; this rule has been in force since 1 January 2016.  Companies have to report data leaks within 72 hours. Of course, you want to prevent unnecessary communications about interventions. In short: how can you ensure the right balance between crisis and reputation management?

Essentially, this is all about three Cs: Confirm, Control and Communicate. First, you need to quickly and accurately confirm that there has been a Personal Data breach. Next, you must check the nature of the data involved (identified during the prior risk and data assessment phase) and what has happened to it, to determine the impact and decide what the next steps need to be, based on the risk level.  Then you have to inform the individual data subjects affected without delay, unless the data was encrypted. The communication to data subjects must describe the nature of the breach AND recommendations for mitigation. You must also inform the supervisory authorities And do that within 72 hours, and the authority may still require you to communicate the breach to data subjects. If such data subject communications would take a disproportionate effort then then public communications methods can be used to to update data subjects in an effective manner.

Confirm and control activities can be done using security solutions, such as IBM Security Guardium.  Guardium not only helps you protect your data in various ways, but also makes it possible to see who may have tampered with data and when – even within cloud based networks. If there has been a potential data breach, recommendations based on your business workflow support you take the right steps of the escalation process in time. As an organization, you can have the right tools at your disposal to handle the communication process with the authorities/regulators, clients and staff.

For instance, a large French bank used Guardium to help secure and protect data on 400 servers containing 150 sensitive applications, and support their GDPR requirements at the same time. The bank has automated its data compliance, audit processes and workflows, including consolidating audit records and sending report notification and distribution to oversight teams, speeding sign-offs and escalations. This also helped the bank show that they had prepared ahead to minimize the likelihood of a data breach.

The final C, communicate, is the responsibility of the organizations involved. Based on all steps that have been taken to confirm and control the data breach, the Data Protection Officer (DPO) and external relations can actively send out consistent.

Curious to know more? Learn how you can simplify getting ready for GDPR from a few best practices and get a grip on your crisis and reputation management.

IBM nominated as ICT service supplier – Computable Awards 2017

Privacy issues are changing and the new legislation is leading. In May 2018, the new GDPR legislation will become effective, with new requirements for processing and processing personal data. IBM is one of the largest data processors and has acquired the necessary knowledge with previous privacy laws. It has resulted in a GDPR-specific architecture framework that IBM offers as a service. The main purpose of the GDPR assessment is a roadmap that prepares an organization for this GDPR legislation and to test risk factors in the organization of the client.

The complete jury report (in Dutch)

Vote for ICT service supplier of the year – IBM – Computable Awards 2017!

Notice:  Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsibility for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations.  The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.

Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.