The EU General Data Protection Regulation (GDPR) brings with it new regulations and a focus on customer control over how, where and why data is stored. We won’t rehash the finer details of Article 29 – see the ICO guide for more information – but what’s clear is that the mandatory transparency puts businesses under greater scrutiny, particularly in the event of a data breach.
If you find yourself in the uncomfortable position of dealing with a personal data breach, either as a result of a chink in your network or human failings such as a lost memory stick or laptop, then your first instinct may be to panic. This can result in hasty decisions and ill-advised responses to your network of customers, stakeholders and the media; something that can’t be revoked at a later date.
GDPR grants a 72-hour window to tighten up your security protocol and issue a response to anyone affected by the breach. Given the scale of work and the implications if you don’t comply, your best defense is a good offence. So rather than dealing with a breach as it happens, opt for early intervention instead.
The CIPR (Chartered Institute of Public Relations) has put together a handy five-point planfor preparing for a data breach under GDPR, which can be summarised as:
- Understand your obligations and best practices within GDPR
- Educate the entire business from leadership to IT about privacy expectations and reputation, trends and risk and the role of communications
- Engage with your PR or communications team and ensure they’re brought into any conversations relating to cybersecurity issues
- Update or develop your data breach response and crisis communications plans. Include reputational risks you may incur and for the individuals impacted
- Test and update plans regularly, specifically data breach protocol, digital and social media dialogue and leadership decision-making
The key is to educate and advise your entire business about company security protocol and communications strategy in the event of a data breach. This level of preparedness could be the difference between a good or bad outcome in the age of GDPR.