The GDPR requires a company to give notice to each of the country’s representatives within three days (72 hours) of a data breach. What is more, each country’s representative will expect to be provided complete details as to which data subjects’ data were impacted by the breach. Also, the GDPR requires a controller to make the citizen data portable. The data subject can ask to “be forgotten” (delete the data), or to move the data to another company.
This radically changes the way companies have to deal with data breaches. Most companies deal with breaches after the fact, bringing in investigative teams, often from outside the company on a temporary basis. It can take many weeks or several months to get to the bottom of a breach. Under the GDPR, initial breach response has to shorten down from a couple of months to a couple of days. After initial response, a company has to follow-on quickly to determine what data was actually compromised.