GDPR Article 33: Planning and Response for the 72 Hour Window

Jul 12, 2018

Back to Veoci BlogGDPR Article 33: Planning and Response for the 72 Hour Window

Responding to a data breach is a high-pressure situation, especially when you consider the EU's newest privacy regulation, the General Data Protection Regulation (GDPR), and its requirements. If you and your organization fall under the scope of the GDPR, you need to know what your obligations per the GDPR are. Jennifer McTiernan, General Counsel at Veoci, and Nathaniel Ellis, Co-founder and Solutions at Veoci, explored these topics in a recent webinar. In case you missed it, here's a quick rundown of what they covered.

The GDPR basics

Businesses all over the world are still figuring out the GDPR. Certain pieces of it still need interpretation, but you can get some of the known basics here. Overall, the GDPR is an opportunity to raise the bar for data management practices on a global scale and to build more trust between data collectors and data subjects.

Data controllers, data processors, and data breaches

[For a complete overview of the obligations of both data controllers and data processors, visit] The GDPR establishes two important distinctions: data controllers and data processors. Data controllers start the data collection process, and their responsibilities reflect this:

  • Establishing the legal basis for collecting data
  • Defining the use and purpose of the collected data
  • Determining what data and whose data is collected

Data processors are much more hands-on with the data, and their responsibilities spell that out:

  • Determining how personal data is stored
  • Deciding which security practices are used to protect the stored data
  • Determining how data is deleted, disposed of, or produced at the request of a data subject

Article 4 of the GDPR defines a data breach as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed." When a breach happens, each party has another set of obligations to meet. A data processor must notify their data controller as soon as possible if they're hit. But data controllers have to do much more, including:

  • Notify their supervisory authority within 72 hours of discovery
  • Describe the breach, the number of involved data subjects, and the compromised data
  • Direct data subjects to where they can obtain more information
  • List the likely consequences of the breach
  • State the data controller's plan for addressing the breach, as well as ways data subjects can mitigate the effects
  • Document the event

Beating the 72 hour window

Communication is the key to complying with the GDPR's 72 hour data breach reporting window. The Veoci team has already developed working breach response plans and solutions which can be launched with a mouse click or finger tap, with a clear focus on maintaining security, facilitating collaboration, and opening lines communication.

"Handling a highly sensitive and time-sensitive situation - this is not happening over email, this is happening in a secure environment"

When a plan is launched, notifications are immediately sent out and initial triage begins as team members quickly swap information. This continues as the breach response escalates with team members commenting in a Veoci room and its message threads. The conversation includes everyone, but remains organized and accessible. This inclusivity comes with Veoci's flexibility as a platform; the same flexibility also creates exclusivity when it's necessary. 

Side Rooms can be locked with access given only to specific stakeholders; for the GDPR response plan, Side Rooms can launched and used to protect sensitive information while keeping specific people informed. Along with these communication capabilities and controls, Veoci also provides integrated process tools such as Checklists, Tasks, and Workflows, to round out the entire response. Workflows and tasks can push a response along the right steps as it escalates, based on established plans and current conditions. At its heart, a data breach response process is about transparency, accountability, and speed.  A successful data breach response must have a documentation system with robust access controls so the right people can see the right reports; easily defined and assigned roles for maintaining accountability; and powerful communication tools to keep things moving at a rapid pace.

Hitting every mark

"Handling a highly sensitive and time-sensitive situation - this is not happening over email, this is happening in a secure environment" says Jennifer McTiernan. What Veoci provides is a safe environment for sharing delicate information and resolving high-pressure situations, and it streamlines the process along the way. It's the ideal platform for tackling any data breach response. 

What to Read Next: GDPR has a big impact on crisis management and business continuity. See how to prepare your programs under the new EU regulation.

Veoci offers solutions in a number of industries. See what Veoci can do for your organization today. 

Subscribe to the Veoci Blog

Receive all the latest emergency, crisis, and continuity management news, tips, and advice

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Related Posts

Maintaining Institutional Knowledge: Building an Effective BCMP

Much of the strength behind a BCMP solution lies in the institutional knowledge it inherently establishes. There are many platforms out there that can help you build your BCMP components, but it is essential that you find one that also has the capacity to foster institutional knowledge.

Continue reading
Getting the Most Out of Real-World Exercises

Exercising a BCP is rarely as simple as the online guides suggest. A business continuity manager has to jump through a lot of hoops to get that final, show-ready polish on a BCP. They’re often chasing buy-in from each corner of the organization and bugging business unit leads and department managers to test BCPs and record the outcomes. What can a business continuity manager do to encourage the heads in their organizations to actively participate and do their part in preparing for disruptions?

Continue reading
How IT Outages Affect Businesses: Recognizing and Preventing Outages

How much damage can a business system outage cause? As is pretty clear these days, they happen often, and can have serious impact. Take, for example, Visa’s payment network outage. On June 1st, 2018, Visa’s payment system in Europe went down for nearly ten hours, halting many personal and bank transactions. The massive, complex nature of the system made it difficult to pinpoint the root cause of the outage, adding hours of downtime and many degrees of frustration for the company’s customers. After performing their root cause analysis, the company identified a “very rare partial failure” of a switch in one of their data centers as the cause of the outage.

Continue reading

Connect with us on Social Media

Join us on our journey to improve emergency, operations, and continuity management!

Veoci Facebook PageVeoci Twitter AccountVeoci Linkedin Company Page

Face crisis and continuity challenges with expert solutions designed for you and your teams.

Learn how Veoci puts you in control