Chapter 8: GDPR Compliance: Incident Response and Breach Notification Challenges

Over the last decade, the prevalence of new computing devices with greater processing power and ubiquitous internet-ready devices helped to facilitate the creation and sharing of vast amounts of data. This has brought increased risks to personal data and rendered previous regulations on data privacy less effective in the new digital age. The GDPR regulation was introduced across EU states on the 25th of May 2018 and brought radical changes that govern activities around the processing and sharing of data and how the protection of personal data is administered by various organisations. GDPR necessitates the re-assessment of existing frameworks in order to meet new requirements outlined in the articles and recitals of the regulation. This research addresses the existing challenges of integrating GDPR into incident response and breach notification plans, and proposes a conceptual Decision Support System (DSS) to address the challenges identified. Existing industry standard frameworks such as ISO27001, NIST, and SANS were analysed alongside Focus Group interviews with subject matter experts to gather feedback on the relevance and applicability of a DSS to meet GDPR compliance requirements. The findings of the study reveal a number of compliance gaps in existing incident handling frameworks which could be mitigated by employing decision support techniques as proposed in the study.