Daren Glenister

What is Article 33? GDPR: High-Stakes and Limited Time to Prepare

Article 33 and the GDPR

With the General Data Protection Regulation (GDPR) coming into force in nearly three months’ time, you’d think most enterprises in the European Union (EU) would be prepared – especially considering the steep penalties in place for noncompliance. However, cases like the recent data breach of Norway’s Health South-East RHF makes it crystal clear that organizations are still struggling to come to grips with the impending regulation. The healthcare organization reported that approximately 2.9 million people may have been affected in the incident and that it failed to meet GDPR’s breach reporting guidelines outlined in Article 33. Had the regulation been in effect, they’d be in some serious hot water.

What is Article 33?

Article 33 states “in the case of a personal data breach, data controllers shall without undue delay” notify the appropriate regulator within 72 hours of becoming aware of an incident. This wording may (and should) raise a few eyebrows. The phrase “undue delay” can be interpreted as any time after the 72-hour timeframe has passed, but this can be different for data processors and controllers. It appears authorities have left this part of the regulation open to interpretation in the event different circumstances arise. For instance, there may be some cases where it’s simply not possible to report a breach within 72 hours due to either scale or impact. Although there may be some exceptions, most organizations should still be prepared to meet the regulation’s requirement.

Article 33

How to put a breach reporting process in place

If an organization doesn’t have a fully-defined breach reporting process, they need to put one in place – and fast. Companies should start by identifying the following pieces of information when an incident occurs, including:

  • What type of data is it personally identifiable information (PII)
  • What data has been impacted, where is it located, and how widespread the attack is
  • Who needs to be notified within the organization
  • How to contact the appropriate regulator
  • What needs to be communicated to customers
  • What steps are in place to resolve the breach
  • How to stop the breach from expanding into other areas of the network
  • What the internal reporting processes is. Is the board, executives, and legal involved?

Identifying this information swiftly can help businesses notify the appropriate national data protection regulator (and anyone who was impacted) in the proper amount of time. While this may seem relatively straightforward, figuring how what was breached, who was impacted, how widespread a breach is, and how it happened is not an easy task to achieve in 72 hours. Companies also need to remediate the damage the breach has caused and prevent it from spreading even further at the same time. So, having well-developed processes and plans for these incidents in place will help organizations, like Health South-East RHF for example, meet the mandate within the allotted timeframe.

Easing nerves and becoming prepared

If you’re becoming nervous because your organization has yet to put these processes in place, you should be. While some regulatory bodies may focus more on educating and training organizations about the nuances of the regulation, others may have high expectations in the beginning, and impose harsh penalties against offenders right out of the gate. Regardless of which regulatory body your organization reports to, companies should prepare for the worst-case scenario. The regulation is very clear that fines for noncompliance can be upwards of 4% of a company’s annual revenue, which can be devastating to an organization.

That said, it’s important to prepare for additional parts of the regulation. Organizations who strive for compliance should also consider:

  • Hiring a data privacy officer: Companies with over 250 employees may be required to hire a data privacy officer. However, even if GDPR doesn’t make a data privacy officer mandatory, companies would be well-advised to designate an expert to implement a strong compliance plan and to keep the C-suite informed on how personally identifiable information (PII) is being continuously protected.
  • Evaluate vendors: While it’s important to make sure your own organization is prepared, it’s equally important to make sure cloud providers and vendors are compliant. It’s critical for companies to ask how much data the vendor is managing, how it’s going to be stored, and whether they also have the proper policies and governance in place.
  • Consider data in motion: Often, companies focus their time on securing databases and servers, but they also need to consider data in motion. Information can be shared within and outside the organization through the cloud, so businesses need to track how it moves and who has access to sensitive company information.

Time’s not up – be proactive

Even though there’s much to consider and prepare for, time hasn’t run out just yet. Organizations can still prepare for Article 33 and other portions of the GDPR by defining processes, asking the right questions, and bringing in the proper expertise to plan in advance.

By Daren Glenister

Daren Glenister

Daren is the Field Chief Technology Officer for Intralinks. Daren serves as a customer advocate, working with enterprise organizations to evangelize data collaboration solutions and translate customer business challenges into product requirements.

Glenister brings more than 20 years of industry experience and leadership in security, compliance, secure collaboration and enterprise software, having worked with many Fortune 1000 companies to turn business challenges into real-world solutions.

View Website

Cloud Infographic - Big Data Predictions By 2023

Cloud Infographic – Big Data Predictions By 2023

Big Data Predictions By 2023 Everything we do online from social networking to e-commerce purchases, chatting, and even simple browsing yields tons of data that certain organizations collect and poll together with other partner organizations. The results are massive volumes of data, ...
15 Promising Cloud-Based Video Conferencing Services

15 Promising Cloud-Based Video Conferencing Services

Cloud Video Conferencing Services We have put together a compilation of some of the best cloud based conferencing services for businesses. The cloud video conferencing services market is expected to reach US$ 6.40 Billion by 2020 from the current $3.31 ...

SPONSORS

Scale your Windows Azure application

Understanding The Importance Of A Flexible Hybrid Cloud Solution

Flexible Hybrid Cloud Solution The cloud computing revolution continues to gather pace, and more and more businesses are coming on-board ...

Cloud Community Supporters

(ISC)²
AWS
HPE
CA Technologies
Cisco

Cloud community support comes from sponsorship, service opportunities and collaborative network partnership initiatives.

What’s the Difference Between Data Integration and Data Engineering?

What’s the Difference Between Data Integration and Data Engineering?

Sometimes I write a blog because I’ve learned something new that I’m eager to share.  And sometimes I write a blog because we’ve just done something enlightening in one of my classes or client exercises.  But sometimes I write a blog because I don’t know anything about
Don’t Ignore the Elephant in the Room. Deal with Your Legacy Systems. Here’s How: Eat It One Bite at a Time

Don’t Ignore the Elephant in the Room. Deal with Your Legacy Systems. Here’s How: Eat It One Bite at a Time

Don’t Ignore the Elephant in the Room Let’s face it – digital transformation is hard, especially if your organization’s lifeblood rests on legacy systems. Here’s a proven way to get there. Pity the IRS? As soon as the new tax code was OK’d in late

"Top 100 Brand Influencer, Cloud”
-ONALYTICA

"Best Cloud Computing Blog"
-SYSADMIN MAGAZINE

"Top 10 Sites For Cloud Computing"
-DIGITALISTMAG SAP

"Top 10 Cloud Computing Blogs”
-MARKETING ENVY

"Top 25 Must Read Cloud Blogs"
-CLOUDENDURE