Ever since the invention of the sundial, nothing has haunted humanity more than a lack of time. Mans curse to bear forever since is to periodically mutter the phrase "there's not enough hours in the day" in the hope the planet may spin a little slower and grant us our wish. It hasn't worked yet.
The Impending GDPR
The pressure of time is increasingly occupying the minds of many an IT security leader as of late. The impending crawl towards the introduction of the GDPR (General Data Protection Regulation) into both UK and European law is all consuming. Social media and news outlets are awash with information relating to required changes and the subsequent warnings of penalties so severe they could cause liquidation (of the organisation not the individual).
Come May 2018 the rush to the compliance finish line will be finally over, however the time pressure will not abate.
Time is of the Essence
The GDPR has been specifically designed to empower citizens and the protection of their personal data, forcing changes such as anonymisation of data, increasing security controls and thorough risk analysis. The creators were under no illusion that breaches would still occur in even the most rigorously defended of networks and so the GDPR includes provisions to ensure sufficient response.
Data controllers (those who own the data) are compelled, in circumstances where a breach includes the loss of personal information, to report this to their data protection authority (the ICO in the UK) within 72 hours. There is some breathing-room in that the 72 hour clock only begins ticking at the point of the data controller becoming aware of the breach. Without specific information on how this will be determined, the ICO is likely to ask for evidence proving when the breach was detected.
Disclosure
There are some exceptional circumstances albeit it unhelpfully interpretive. If disclosure is likely to represent a risk to the rights and freedoms of the data subjects then the three day time pressure may become less definitive in an attempt to be flexible to the data subjects benefit.
The GDPR doomsday clock to implementation which today ticks down to May 2018 is on reflection a more relaxed place to be in. With upwards of 16 months of preparation time, there is much that can be achieved. Once in place the GDPR will reduce the time to respond to a breach so dramatically shares in tenterhooks will be be a good investment.
In the future, hindsight is likely look back on the path to GDPR with envy. We had time on our side and we didn't even know it.
