The European Union’s General Data Protection Regulation (“GDPR”) is arguably the most comprehensive – and complex – data privacy regulation in the world. As companies prepare for the GDPR to go into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.

To help address that confusion, Bryan Cave is publishing a multi-part series that discusses the questions most frequently asked by clients.

Question: Does the GDPR require that I hire an external forensic investigator if I suspect a data breach?

Answer: No. The GDPR anticipates that companies will investigate security incidents in order to determine if they fit the definition of a “personal data breach,” and that once a personal data breach has been confirmed that a company will continue its investigation to:

  • Gather evidence,
  • Determine the nature of the data breach,
  • Determine the categories of data subjects impacted,
  • Determine the quantity of data subjects impacted,
  • Determine the type of personal data impacted,
  • Assess any risk to data subjects,
  • Determine what, if any, steps might be taken to mitigate the breach or mitigate any security vulnerabilities.1

The GDPR does not mandate, however, that the investigation be conducted by an external forensic investigator. Depending upon the type of breach involved, and the proficiency of internal resources, some companies may be able to complete their investigation using only internal resources.