Not Telling The Whole Truth
Despite the threat of fines, reputational damage and major service interruptions, some companies may still be tempted to keep serious breaches of the regulation quiet. In fact, the role of the data protection officer (DPO) as an independent compliance expert within the organisation may isolate them, creating an “us vs them” culture which could fuel this kind of thinking.
It goes without saying that this would be a huge miscalculation guaranteed to result eventually in serious repercussions. The GDPR is all about forcing organisations to be more open, transparent and accountable. Concealing the mishandling of customer data shows deliberate disregard for these key tenets.
On a less serious note, we may find organisations not telling the whole truth about a data breach incident simply because they don’t have enough information to hand. This is why continuous network monitoring, advanced breach detection and incident response plans are essential, given the GDPR’s strict 72-hour notification requirement.
Increasing visibility into your data flows and security controls is a must-have. Organisations that end up finding out about a breach via a third-party will immediately be on the back foot, and may find it hard to meet the strict time limits effectively. Remember: a ransomware outage could also be covered under the GDPR if you are not able to “restore the availability and access to personal data in a timely manner”. This makes it essential to maintain a best practice backup policy, according to the 3-2-1 rule.
Under-reporting is a serious infraction of the law, but we may also see many SMEs over-reporting after 25 May. It’s up to regulators to be clear about what constitutes an incident, and for firms to seek guidance on this. The impact otherwise could be wasted resources on both sides.