Co-presenter, "Want to Play a GDPR Breach Notice War Game?" Davis Wright Tremaine Webinar
By Brandon H. Graves, Amy Mushahwar, and Alexander B. Reynolds
Cyber risks are constantly evolving, but the General Data Protection Regulation (GDPR) adds a new complication to a company’s incident response procedure: Notice within a 72-hour time frame to the appropriate Data Protection Authorities.
To illustrate this, we hosted a mock crisis conference call of a client with data in the U.S. and EU. We explored the practical legal and risk-based decision making around notifying a data security incident within the facts of a mock incident intake call.
Our coordinated team of U.S. and EU lawyers covered topics that included:
- Deciding to notify or not to notify: how has the risk calculus changed?
- How do you operationalize GDPR within existing incident response plans?
- What is the depth of content required within the 72-hour notice to DPAs?
- How will quick notice timeframe in the EU impact the U.S. breach analysis?
- How should a regulatory notification be timed alongside notification to other stakeholders?