12 Apr 2018

Unless you’ve been living under a rock, it will come to you as no surprise that the General Data Protection Regulation (GDPR) will finally come into force across Europe on 25 May 2018, mere weeks from now on.

Seminars, workshops, roadshows, start-ups. advertisements, advertorials – all these and more have been used to warn companies that they need to change how they process and retain data or risk being faced with fines up to €20 million or 4% of annual global turnover, whichever is higher.

And while many firms have worked with data experts, employed their own data protection officers, and changed their terms of service in an attempt to be compliant, far fewer companies have put in place contingency plans in case the worst happens and a breach does, in fact, occur. Those minutes, hours and days after a breach or cyber attack are the most crucial for a firm in retaining their standing with customers, regulators and policymakers. In the 24/7 news cycle companies have little or no time to develop a plan of action before having to inform the appropriate audiences when the worst occurs.

There are a number of steps to be taken by an organisation to ensure communications preparedness for GDPR. These include:

  • Appoint a team and an individual lead on internal communications in the event of a data breach. Establishing clear lines of responsibility on who is in charge of drafting a response and informing relevant parties is the first step to ensuring that the communications of a data breach is taken seriously.
  • Have draft statements, correspondence and speaking points prepared in case of a breach. These statements should be broad enough to cover a range of issues and to allow for the insertion of relevant context and content.
  • Draw up a list of relevant stakeholders and order them in priority. Who needs to be told and when? Do your shareholders need to know, and in what timeframe? All of these questions and more need to be teased out and answered.
  • From a media management perspective, prepare a suite of agreed lines, identify spokespeople and ensure they are media trained.
  • Stress-test your plan under worst and best case scenarios. Perform a simulation of a data breach occurring in your company. Assess and refine how your staff reacted and how your plan held up under pressure.

If the above sounds familiar, it should. It is, in effect, a crisis management plan. While no amount of media management and communications will stop a company from being criticised in the media for a flaw in the design of a product or service, or lapses in proper processing, they can at least minimise the potential reputational damage that a data breach may generate.

The reality is that almost every company in Ireland is now a data company. Moreover, and in line with several polls, business trackers and the perpetually high attendance figures at GDPR seminars, many Irish companies are still coming to terms with their new obligations and are likely to find themselves in breach of GDPR early on. In the context of Ireland being seen by some of its European colleagues as ‘light touch’ and ‘business friendly’ when it comes to regulation, it would not be surprising if examples are made of the early Irish transgressors, meaning the media interest in the first few sanctions will be compounded by the potential severity of the outcome.

The take away lesson is this: compliance is important, but to butcher a famous Roy Keane quote ‘prepare to fail in case of failure’.