Surviving the crucial 72-hour GDPR deadline after a cyber attack
The successful TV thriller series “24” focused on a single day in a US government agent’s career, constantly reminding the audience that this was “the longest day” in his life as he overcame a series of seemingly insurmountable challenges.
“Events occur in real time,” agent Jack Bauer’s voiceover portentously announced at the start of each episode.
The EU’s General Data Protection Ruling which came into effect in May of 2018 (GDPR) means that company information security officers (CISOs) and IT Directors may too find themselves facing the “longest three days in their life” while attempting to comply with the EU’s rigid 72-hour deadline to make an accurate assessment of the incident, with supporting information relevant to the breach.
The event, “Managing Data Breaches Under UKGDPR” is taking place in London on Wednesday 27 November and will recreate a series of events from the perspective of different roles in the business. These stakeholders will attempt to make sense of sometimes conflicting information while ever conscious of meeting the GDPR 72-hour deadline. It will outline procedures that can be put in place to cope with and manage the three days of massive pressure when a company must not only supply Supervisory Authorities with information relevant to the breach, but also work urgently with 3rd parties, contact affected customers and manage communication consequences.
This event will open with security researcher and white-hat hacker Igor Yuklyanyuk will give a practical demonstration of a real-life hack, based on the one that cost British Airways (BA) a £180m in GDPR fines. Attendees with then be taken through the incident discovery and internal communications and action based on real-life experience, with a warts and all approach. Taking a step back, the presenters will then discuss steps they take to be better prepared for the future. There will be a panel for questions afterwards, and booths where you can get some hands-on experience with the tools used in the presentation. The following skills and procedures form the core of the event:
- Breach discovery
- Making key decisions with limited information and under mounting stress
- Top communications steps to avoid
- What, when and how to notify regulatory authorities
- Post incident clean-up procedures that can be prepared in advance
Aside from the recent fines imposed on BA and Marriott, companies who have suffered a breach frequently suffer irreparable damage to customer and investor confidence. Just to add to the pressure over the three days, failure to convince the regulator that the company took every precaution in advance to prevent a breach, can also leave the CEO and senior executives facing personal prosecutions for professional negligence.
With such high stakes riding on the first crucial 72 hours after the breach, there is very little time to identify the precise source of the breach, carry out damage limitation and discover the full extent of theft and damage. Event organisers, GDPR compliance firm UKGDPR and the leader in privacy, security and third-party risk management technology, OneTrust, will present a step-by- step guide on how best to allocate time and resources in the critical first 72 hours of an incident.
Data Protection Impact Assessments (DPIA) are an essential, and often mandatory, process under the regulation. Attendees at Managing Data Breaches Under UKGDPR will receive a free copy of UKGDPR’s new handbook: “Running Successful DPIAs”.
Media Contact Details
Tony Glover, TGPR
London , UK