Cyber risks are constantly evolving, but the General Data Protection Regulation (GDPR) adds a new complication to a company’s incident response procedure: Notice within a 72-hour time frame to the appropriate Data Protection Authorities.
To illustrate this, we hosted a mock crisis conference call of a client with data in the U.S. and EU. We explored the practical legal and risk-based decision making around notifying a data security incident within the facts of a mock incident intake call.
Our coordinated team of U.S. and EU lawyers covered topics that included:
- Deciding to notify or not to notify: how has the risk calculus changed?
- How do you operationalize GDPR within existing incident response plans?
- What is the depth of content required within the 72-hour notice to DPAs?
- How will quick notice timeframe in the EU impact the U.S. breach analysis?
- How should a regulatory notification be timed alongside notification to other stakeholders?