GDPR's Most Frequently Asked Questions: Does the GDPR require that I hire an external forensic investigator if I suspect a data breach?

Bryan Cave Leighton Paisner

The European Union’s General Data Protection Regulation (“GDPR”) is arguably the most comprehensive – and complex – data privacy regulation in the world. As companies prepare for the GDPR to go into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.

To help address that confusion, Bryan Cave is publishing a multi-part series that discusses the questions most frequently asked by clients.

Question: Does the GDPR require that I hire an external forensic investigator if I suspect a data breach?

Answer: No. The GDPR anticipates that companies will investigate security incidents in order to determine if they fit the definition of a “personal data breach,” and that once a personal data breach has been confirmed that a company will continue its investigation to:

  • Gather evidence,
  • Determine the nature of the data breach,
  • Determine the categories of data subjects impacted,
  • Determine the quantity of data subjects impacted,
  • Determine the type of personal data impacted,
  • Assess any risk to data subjects,
  • Determine what, if any, steps might be taken to mitigate the breach or mitigate any security vulnerabilities.1

The GDPR does not mandate, however, that the investigation be conducted by an external forensic investigator.  Depending upon the type of breach involved, and the proficiency of internal resources, some companies may be able to complete their investigation using only internal resources.

1. GDPR, Article 33(3)(a)-(d).  See also Article 29 Working Party, WP250 Guidelines on Personal Data Breach Notification Under Regulation 2016/679 (3 October 2017).

[View source.]

Written by:

Bryan Cave Leighton Paisner

Bryan Cave Leighton Paisner on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.