A five step crisis plan to prepare for the pending data protection legislation

A five step crisis plan to prepare for the pending data protection legislation Neil Thacker is information security and strategy officer EMEA at Forcepoint.


The clock is officially ticking for organisations to get their data protection policies in order, now that the final draft and approved text have been made available for the General Data Protection Regulation to replace the existing EU Data Protection Directive.

The new regulation is expected to come into effect in 2018 and will require businesses to put a much stricter focus on data protection. The headline items for organisation that collect or process EU citizen records are:

  • They must notify their supervisory authority of a data breach within 72 hours
  • The subject will have the right to retract consent, request data erasure or portability
  • They may face fines of up to 4% of their worldwide turnover, or €20 million for intentional or negligent violations

These increased sanctions mean it is vital that the final legislative text be fully understood by a number of key stakeholders within the business, and that businesses start planning ahead as soon as possible.

To help them with that here are five key steps to help organisations perform a basic assessment of their current data protection strategy and any potential gaps that need filling.


The first task for any organisation must be to identify whether they are considered a data controller or processor. They must then review the relevant obligations these carry, such as issuing notice to citizens and maintaining relevant consent from the data subject.

Businesses should make it common practice to regularly review existing and new business processes to identify Personal Identifiable Information (PII). They can then discover where this data resides – whether it is at-rest, in-motion and/or in-use – have a record of processing activities and understand how this data is protected.


Once PII has been identified organisations must then sure they adequately protect it. Encryption and access control are common control standards, but managing encrypted data across multiple business processes is a hugely difficult task.

Data sovereignty and data lifecycle are key to helping businesses ensure that EU citizen data is processed and stored appropriately. In addition to this, they also need to manage data flows to approved third party processors, monitor for accidental data leakage from negligent or malicious employees and protect against data theft from external agents.


If an organisation does suffer a loss of data then it is vital to detect the breach and identify if PII records were lost or stolen. If they have, the business will be required to notify the necessary authorities within 72 hours of the discovery to initiate a full investigation.

The investigation will focus on identifying the source and destination of the breach through event and incident information from Data Leakage Prevention (DLP) and Data Theft Prevention (DTP) tools. Data forensics will then help to pinpoint the stolen data, at which time the business will be required to issue notice to any affected data subjects.


Incident response is critical to protecting data and protecting EU citizen data. In addition to the mandatory data breach notification requirement, organisations must also ensure they have implemented an effective incident response plan. This plan must have been tried and tested to ensure that employees involved in a data breach response are familiar with and fully understand the new legislation and communication channels.


In the aftermath of a data breach businesses must ensure they maintain ongoing communication with the relevant authorities. This will ensure secondary loss factors are managed and keep affected data subjects regularly informed.

Data protection and the safeguarding of EU citizen data has always been an important requirement for businesses and the impending GDPR places even greater emphasis on the value of this data. It is therefore more important than ever for businesses to fully understand their role and apply the appropriate security controls that allow them to identify and protect this data. Having an established data breach plan in place will then help businesses be familiar with the detect, response and recovery phases to ensure they limit the effect of the attack.

View Comments
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *