The Article 29 Working Party has recently published updated guidance on the Personal Data Breach notification rules in Articles 33 and 34 of the General Data Protection Regulation (GDPR). The most important part of the update concerns the requirement for organisations to put in place incident detection technologies, which can ‘immediately’ detect whether a security incident has occurred. This obligation is set out in Recital 87. As well as helping with the actual management of the incident, the requirement is significant because it can crystallise the beginning of the time period for giving notice to the regulators. The time period is "without undue delay", commencing from the moment of becoming 'aware' of an incident, which is subject to a 72 hour long stop.
The guidance recognises that the controller may undertake a 'short period' of investigation in order to establish whether or not a breach has in fact occurred and, during this period, the controller may not be regarded as 'aware'. However, it is clear that this investigation should begin as soon as possible and, if good quality incident detection technologies are in place, it should commence from the exact moment that the detection technologies deliver an alert.
How can you detect potential incidents in real-time and what tools can you use? Organisations need tools that monitor all forms of logs in real-time and scan for all manner of vulnerabilities. By monitoring a network and incorporating threat intelligence feeds it is more manageable and faster to detect potential security incidents.
Depending on the criticality of the systems involved, monitoring can range from a system administrator looking through system event logs to having a small monitoring centre inside the organisation, even up to contracting a dedicated security operations centre for network monitoring. For example, Smarttech247 has a dedicated security operations centre using IBM QRadar SIEM (security information and event management) for dedicated network monitoring for our customers which also incorporates artificial intelligence in the form of IBM Watson for cybersecurity. By using a dedicated security operation centre, organisations can leave the network monitoring and incident handling to dedicated security professionals. However, whatever method an organisation opts for, there has to be some form of network monitoring, one way or the other. After detecting, it is important to carefully and correctly identify what kind of incident has occurred and on what subnet and hosts (as the case may be) have they occurred in. Has there been a loss of data and confidential information? Are the critical assets involved? How much impact has it had on the network?
Find out more