In a blog post for Intralinks, Deema Freij, CIPP/E, writes about Article 33 of the General Data Protection Regulation, where an organization must report a data breach within 72 hours. Freij looks into possible questions involving the wording of Article 33, including what constitutes an “undue delay” possibly affecting a data controller from reporting a personal breach. Freij also points out many organizations do not have a clear process in place for handling a potential breach. While it is clear what an organization should do when a breach occurs, it is easier said than done. “Finding out what the breach is, who has been affected, how wide it is and how it happened all within 72 hours is not easy — especially when companies want to be remediating damage caused by the breach in this time,” writes Freij. “This is where having thorough processes shows its value, because all of this information will need to be relayed to the regulator.”
If you want to comment on this post, you need to login.