Don't tell them now (or at all) – responsible disclosure of security incidents under NIS Directive and GDPR

Sandra Schmitz-Berndt, Stefan Schiffner
2021 International review of law computers & technology  
In this article, we critically analyse the timeline for notifications of third parties under the NIS Directive and the GDPR in the case of security and privacy incidents from a legal and technical perspective. While a need to mitigate an immediate risk of damage for an individual would call for prompt notification of data subjects, there are scenarios which may justify a delay in communication, for instance where a service provider needs to analyse the current attack to prevent further attacks
more » ... nd assess the full impact. Further, we argue that notification duties in the GDPR and NISD have different protection goals which may conflict in the context of a given incident. Since they are triggered by the same incident, they may contain redundancies, which bears potential for synergies which should be capitalised by the competent authorities. ARTICLE HISTORY
doi:10.1080/13600869.2021.1885103 fatcat:d6lqww2cw5gvzex7eqsttwrkju