Unless you’ve been living under a rock, it will come to you as no surprise that the General Data Protection Regulation (GDPR) will finally come into force across Europe on 25 May 2018, mere weeks from now on.
Seminars, workshops, roadshows, start-ups. advertisements, advertorials – all these and more have been used to warn companies that they need to change how they process and retain data or risk being faced with fines up to €20 million or 4% of annual global turnover, whichever is higher.
And while many firms have worked with data experts, employed their own data protection officers, and changed their terms of service in an attempt to be compliant, far fewer companies have put in place contingency plans in case the worst happens and a breach does, in fact, occur. Those minutes, hours and days after a breach or cyber attack are the most crucial for a firm in retaining their standing with customers, regulators and policymakers. In the 24/7 news cycle companies have little or no time to develop a plan of action before having to inform the appropriate audiences when the worst occurs.
There are a number of steps to be taken by an organisation to ensure communications preparedness for GDPR. These include:
If the above sounds familiar, it should. It is, in effect, a crisis management plan. While no amount of media management and communications will stop a company from being criticised in the media for a flaw in the design of a product or service, or lapses in proper processing, they can at least minimise the potential reputational damage that a data breach may generate.
The reality is that almost every company in Ireland is now a data company. Moreover, and in line with several polls, business trackers and the perpetually high attendance figures at GDPR seminars, many Irish companies are still coming to terms with their new obligations and are likely to find themselves in breach of GDPR early on. In the context of Ireland being seen by some of its European colleagues as ‘light touch’ and ‘business friendly’ when it comes to regulation, it would not be surprising if examples are made of the early Irish transgressors, meaning the media interest in the first few sanctions will be compounded by the potential severity of the outcome.
The take away lesson is this: compliance is important, but to butcher a famous Roy Keane quote ‘prepare to fail in case of failure’.