Carolyn Crandall, Chief Deception Officer at Attivo Networks:
Many organisations have been able to address Articles 32 and 25 of GDPR, but many still struggle with Article 33. Numerous organisations have difficulty identifying if an incident happened and if it happened, they have trouble modifying their strategy to report within 72 hours. Previous directives from the EU 95/46 made no specific mention of data breaches and GDPR now sets a clear directive as to what constitutes a data breach, how the incident is to be reported and the substantial penalties for not complying. This has required businesses to reassess their technology and processes in order to understand their ability to detect, audit, and report breaches in compliance with GDPR. Closing these gaps, in many cases, requires the adoption of new technology to ensure that the attack is not only detected but also understood in a way that can explain the magnitude of the breach and the corrective actions to contain it. Whether it be access to budget, skills shortages, or otherwise, a fair amount of organisations remain hard-pressed to comply with this article if faced with a breach today.