Simplify Compliance with GDPR Breach Notification Obligations

The RADAR incident response and decision-support platform helps privacy professionals and their organizations comply with the complexities of the EU General Data Protection Regulation (GDPR), effective May 25, 2018. This broad legislation poses significant challenges for compliance professionals, including a 72-hour breach notification timeline as well as hefty consequences for noncompliance – potential fines up to €20M or 4% of an organization’s total worldwide annual turnover, whichever is higher.

Request a Demo

Software for GDPR Breach Notification within 72 Hours

GDPR Ready with RADAR

Building on a proven and automated multi-factor risk assessment platform for US State, federal, and sector-specific data breach laws, RADAR has extended its patented Breach Guidance Engine™ to provide consistency and efficiency for compliance with the GDPR’s complex breach risk assessment and notification obligations. RADAR’s multi-factor and multi-jurisdictional decision-support platform operationalizes breach notification under the GDPR. Using RADAR, you can:

 

Capture Breach Details for GDPR

Efficiently capture breach details and risk profiles

Through an intuitive interface, you can capture breach details including key risk factors, such as the intentional or unintentional nature of the breach, data protection measures, risk mitigation outcomes, and the scope and sensitivity of personal data involved.

Perform risk assessment for consistent and timely notification under the GDPR

Quickly perform risk assessments to make consistent and timely notification decisions

Details of the breach notification requirements are codified into the RADAR Breach Guidance Engine™, which recognizes the nuances in DPA and affected individual notification requirements for organizations with or without an establishment in the EU.

Provide Supervisory Authorities notification within the 72-hour timeframe

Provide supervisory authority notification within the 72 hour timeframe 

Track and prioritize notification requirements in a central dashboard. Create and manage notification letters directly from the assessment profile, maintaining a repository of every notification.

Automation for efficient, informed breach decisions under the GDPR

Benefit from automation to make efficient, informed decisions

RADAR scores the severity of a breach and sensitivity of involved data, generates a risk heat map, and provides decision support for regulatory and contractual notification obligations.

Want to see more? 

Request a Demo

RADAR GDPR Resources

Resource Image
Webinar

GDPR Breach Notification: Compliance Tools and Operationalizing Your Response

Strategies to efficiently keep up with ever-shifting U.S. and international data breach notification obligations.

Broadcast Date: Thursday, May 17, 2018

Resource Image
Webinar

GDPR 72-hour Notification: Are You Ready?

Discover the differences between US and EU data breach regulatory frameworks based on the current guidance.

Broadcast date: Thursday, March 15, 2018

Resource Image
Guide

Comparison Guide: GDPR vs US Regulations

How do the mandatory GDPR breach notification requirements compare to requirements in US state and federal law? 

Resource Image
Product Info

GDPR Ready with RADAR

Automation to simplify compliance with GDPR breach notification. 

Frequently Asked Questions: Breach Notification Requirements and the GDPR 

What constitutes regulated data?

Compared to US State and Federal regulations, personal data has a broader definition under the GDPR, meaning “any information relating to an identified or identifiable natural person,” with particular sensitivity  to personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, and sex life or sexual orientation. 

The GDPR regulates all forms of personal data, electronic and non-electronic.

What constitutes a personal data breach?

Under the GDPR, personal data breach means a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” Based on this definition, an incident could potentially be categorized as one or more of the following: an availability breach, meaning accidental or unlawful destruction or loss of personal data; an integrity breach, meaning alteration of personal data; or a confidentiality breach, meaning unauthorized disclosure of, or access to, personal data.

Who may need to be notified in the event of a data breach?

Entities that may need to be notified under GDPR breach notification requirements include affected data subjects, lead supervisory authority (one-stop-shop), and multiple supervisory authorities (no EU establishment).

What are breach notification timelines under the GDPR?

For supervisory authorities, notice is required “without undue delay and, where feasible, not later than 72 hours after having become aware."

For data subjects, notice is required “without undue delay.”

For organizations used to US State and Federal notification regulations, the 72-hour notification window is an extremely tight timeframe. Under state laws, notification is generally required in the most expeditious manner possible, without unreasonable delay. In recent years, there has been a growing trend in state regulations to adopt more stringent notification timelines, typically 30–45 days from breach discovery.

What are mitigating factors (safe harbors or exceptions from notification) in the event of a data breach under the GDPR?

State-of-the-art encryption may be considered an appropriate technical protection measure in respect to whether notification to data subjects is required, but is not considered an exception from notification as it is under US law.

The only true “exception” under the GDPR relates to anonymized data. If data is anonymized, the data subject cannot be identified, which removes the data from the scope of the GDPR.

What are the potential fines or penalties for noncompliance with the GDPR?

The GDPR brings with it significant consequences for organizations that process or hold the personal data of EU data subjects.

One of the highest profile consequences of noncompliance is the potential for fines up to €20M or 4% of an organization’s total worldwide annual turnover, whichever is higher.

Software to automate compliance with GDPR Breach Notification

RADAR takes into account clear and nuanced differences in US and EU breach notification laws, including:

  • Definitions of breach, personal data, and regulated forms of data
  • Awareness and discovery dates
  • Regulation specific risk of harm assessments
  • Notification timelines (whether it’s in the most expeditious manner possible, within 30 days of discovery, or not later than 72 hours after having become aware)
  • Who needs to be notified and what information must be included
  • Safe harbors or exceptions from notification

Request a Demo