The General Data Protection Regulation (GDPR) requires organisations to notify personal data breaches to their supervisory authority within 72 hours, unless the breach is unlikely to result in a "risk" to the rights and freedoms of the affected individuals. In "high risk" situations, a notice must also be sent to the affected individuals.
But how does the organisation determine the level of risk and appropriate response to breach reporting?
Often it can be subjective - based on gut feel and instinct - leading to inconsistent handling and residual risk due to the lack of clear governance and control. As supervisory authorities demand greater levels of accountability for decision making, it has never been more important to apply a consistent response handling approach, based on objective and quantitative criteria.
Highly Commended at the Financial Times Innovative Lawyer Awards, Innovation in the business of law: New products and services, 2019
NOTIFY is a web based tool, designed by the DLA Piper data protection and privacy team to bring consistency and accountability into breach response handling:
- Quantitative approach: instead of basing the assessment on ad hoc decision making and gut feel, the tool uses a quantitative approach measuring the risk of a data breach based on an algorithm.
- Objective approach: the criteria used for building the algorithm and measuring the severity are all drawn from official sources: the GDPR, the European Network Information Security Agency and the European Data Protection Board.
- Consistency: the tool includes a decision engine that asks systematic questions to assess risk based on an algorithmic model, securing a consistent approach, independent of the individual using the tool.
- Efficiency : using the tool reduces the assessment of a data breach from many hours of conversations and assessments to under one hour.
- Automated report creation: The tool automatically creates a report that can be used for documentation purposes, in line with Article 33(5) GDPR.
We have a range of pricing models for on-premise implementations of the tool, or alternatively DLA Piper can host the tool on our network to maximise privilege.