As part of the TrustArc Privacy Insight Series Webinars, Ashley Slavik, Senior Counsel & Data Protection Officer, Veeva Systems Inc. and K Royal, Consulting Director, TrustArc, discussed how companies can plan for and respond to a data breach in compliance with the GDPR. Ashley and K gave best practices, suggested tools, and tips for addressing GDPR Article 33 and Article 34. This blog post will give a brief summary; you can listen to the entire webinar and download the slides here.
Before going into data breach requirement details, our speakers discussed the different notification requirements for Controllers and Processors and gave examples of each. Then, they went over documentation requirements throughout the lifecycle of an event.
After making the determination that a breach has occurred, there are various practical responses a company can use. Ashley and K discussed several of them, and also discussed how to achieve operational effectiveness.
A few general tips our speakers provided were:
- Identifying a lead supervisory authority where your European headquarters are would be helpful, depending upon what makes the most legal sense for your company
- Do not call an incident a “breach” until the person with the authority to make that determination has evaluated the incident
- Incident plans should accommodate all possible scenarios
- Do a simulation exercise, as suggested by Andrea Jelinek, Article 29 Data Protection Working Party (WP29) Chair
TrustArc offers GDPR Implementation assistance, such as building and testing a data breach incident response plan. Our expert consultants can help create an effective response program, create customized incident response process flows, customize record keeping tools, develop a retention schedule and procedures for recording keeping, and go through a mock incident to test and refine the process. Find out more here.