International data breach law update: Preparing for GDPR

In a little more than a year, the realm of consumer data protection will undergo a paradigm shift. When the European Union General Data Protection Regulation (GDPR) takes full effect on May 25, 2018, every company that does business with citizens of EU member countries will be required to notify authorities of a data breach within 72 hours of discovering the event or face stiff fines. The rule applies to any company, located inside or outside the EU, that offers products or services to citizens of EU member countries, and that collect, process and hold personal data of EU citizens.

Impact on data breach response preparedness

More companies than ever now have data breach response plans in place, but it’s probably safe to say the majority of American businesses that have plans focus on domestic response. For example, a data breach that involved personally identifiable information (PII) for customers in both the U.S. and Europe might once have triggered notification for domestic consumers only. Now, your data breach response plan will need to have an international element that addresses how your organization will manage a breach subject to GDPR requirements.

Before the GDPR takes effect, it’s imperative to update and practice your data breach response plan to ensure your company will be compliant with the new law. Critical steps should include:

1. Create a multinational response team.

When an international data breach occurs, no organization can afford to be scrambling to pull together the team of vendors — lawyers, communications specialists, data breach resolution providers and forensic experts — they will need to be in compliance with the GDPR. Identify these partners now, and establish relationships proactively to ensure a smooth response to an international data breach.

2. Engage stakeholders.

One of the most challenging aspects of the GDPR is the 72-hour notification requirement. The rule also requires notification of affected consumers “without undue delay.” Currently, it takes the average U.S. company 40 days to notify consumers after discovering a breach. Proactively engaging stakeholders, including vendor teams, legal partners, and data protection authorities, to build relationships throughout the year could mean the difference between compliance and running afoul of the regulation.

3. Prepare to notify and support international consumers.

Notifying international customers of a data breach has layers of complexity you’ll need to plan for. For example, call centers will need to be able to speak the native language of affected consumers — many of whom have never received any kind of data breach notification before. It’s likely they’ll have more questions and concerns than U.S. consumers.

Likewise, notification letters will need to be written in the appropriate language, and take into account cultural differences. You should also decide proactively if you will offer identity protection services to affected international consumers; although not required by the GDPR, such services could help reassure international consumers affected by a data breach.

The GDPR is a game-changer for any company that does business in the EU. Every organization will need to update its data breach response plan to ensure it can respond quickly, effectively and in compliance when an international data breach occurs.