Don’t Put the Cart Before the Horse – Effective Incident Handling Under GDPR and NIS Directive

This paper serves as notes to a lecture given at the IFIP summer school of privacy and identity management 2020. We discussed notification requirements in the NIS directive and the GDPR in the case of security and privacy incidents form legal and technical perspective. In particular, we discuss timing. While a need to mitigate an immediate risk of damage for an individual would call for prompt communication with data subjects, there are scenarios which may justify a delay in communication to a wider public, e.g. a large user base. This might be advisable, for instance, where a service provider needs to analyse the current attack to prevent further attacks and assess the full impact. In the latter, any delay in communication should fulfil the requirement of “without undue delay”. Further, we discuss why the concurrent reporting under both regimes is needed and conclude with a call for more cooperation of the respective competent authorities.