The General Data Protection Regulation (GDPR) has been with us for over a year. It was greeted with a tremendous fuss, with the threat of fines running into the millions.
Organisations ran around like headless chickens while their lawyers drafted privacy notices and policies, and proffered advice on what to do about breaches.
The Information Commissioner’s Office (ICO) has shown its teeth by imposing a record £180m fine on British Airways, followed by a £100m fine on Marriott last month. Both fines were imposed after hackers stole huge amounts of personal data.
But while the legal risks are largely understood, it is only now that organisations are waking up to the reputational risks of a data breach.
So if your business finds itself subject to a data breach, what action should you take?
First, if a breach presents a risk to individuals’ rights and freedoms, the ICO must be notified within 72 hours.
If the breach poses a high risk to those rights and freedoms, such as the loss of financial information, affected individuals will need to be notified without undue delay.
And here lies the first challenge: how will you notify these people?
Generally, this would be by email. But IT servers may not physically be able to cope with an email to half a million people or more in one go. Add to that the likelihood that not all customers will have an email address, meaning that traditional post may be the only answer for some.
Now the question is whether your database holds the correct or up-to-date information to enable this to happen? The ICO will take a dim view of any delay.
And while organisations are not required under GDPR to tell staff of any data breach, customer services and social media teams should be informed and briefed on how to manage the concerns of affected customers.
A tweet from a disgruntled customer can all too quickly travel the world, often gathering pace as it does.
With this in mind, your communications team and lawyers should work together from the outset to decide what communication might include.
While the chief executive might be the public face of the company, for organisations with a confrontational boss, a member of the comms team or specialist PR agency might be best.
The timing of customer notification is critical, particularly where there is the risk of fraud following the loss of financial or personal information.
Delaying notification risks reputational damage and could possibly lead to increased fines. But also consider that if you send too early, the full extent of the breach may not yet be understood. It can be a fine line, and again, your lawyers and communications team are best placed to advise.
When considering whether to dish out a fine and in what magnitude, the ICO will undoubtedly look at how the breach occurred and how it could have been prevented. But it will also look at the steps you took to remedy and mitigate the consequences of the breach.
Complying with GDPR is important, but businesses should also have a plan in place in case of a data breach – because reputational damage can hit just as hard as the legal implications.