The European Union’s General Data Protection Regulation (“GDPR”) is arguably the most comprehensive – and complex – data privacy regulation in the world. As companies prepare for the GDPR to go into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.
To help address that confusion, Bryan Cave is publishing a multi-part series that discusses the questions most frequently asked by clients.
Question: Does the GDPR require that I hire an external forensic investigator if I suspect a data breach?
Answer: No. The GDPR anticipates that companies will investigate security incidents in order to determine if they fit the definition of a “personal data breach,” and that once a personal data breach has been confirmed that a company will continue its investigation to:
-
Determine the nature of the data breach,
-
Determine the categories of data subjects impacted,
-
Determine the quantity of data subjects impacted,
-
Determine the type of personal data impacted,
-
Assess any risk to data subjects,
-
Determine what, if any, steps might be taken to mitigate the breach or mitigate any security vulnerabilities.1
The GDPR does not mandate, however, that the investigation be conducted by an external forensic investigator. Depending upon the type of breach involved, and the proficiency of internal resources, some companies may be able to complete their investigation using only internal resources.
1. GDPR, Article 33(3)(a)-(d). See also Article 29 Working Party, WP250 Guidelines on Personal Data Breach Notification Under Regulation 2016/679 (3 October 2017).
[View source.]
