- November 9, 2016
- Crisis and issues
I imagine most of you have no idea what you’ll be doing on 25th May 2018. I don’t blame you. It’s the day a big piece of EU law comes in that will affect how almost every company or institution across Europe deals with its customers or users. Lots of us will be busy as this day approaches though, me included.
25th May 2018 is the date the EU General Data Protection Regulation (GDPR) comes into force.
It’s fundamental for people working in senior management, IT security and communications at any multinational business with operations in Europe.
GDPR makes every company much more responsible for its data governance, and makes it much riskier not to take it very seriously. There’ll be potentially huge fines for companies that don’t adhere to it. Fines will be 4% of worldwide annual turnover or €20 million, whichever is the higher. Figures like that can make a big hole in your profits. And it doesn’t just stop there. If a company handles it badly, there’s the added risk of follow on claims by private individuals for compensation as a result of a cyber breach. This could even go as far as a US style class action.
Fines and law suits are worrying. But I think there’s an even bigger worry for senior management. The risk to reputation.
At the moment, companies in the UK don’t have any general obligation to notify the authorities or individuals who’ve been affected about the data breaches, although there are some sector specific requirements (in financial services or telecoms for example). Partly because of that, many are blissfully unaware of the potential impact of GDPR.
From May 2018 however, that lack of obligation changes. From that date, a company that knows it has suffered a data breach will only have 72 hours to alert the authorities. Similarly, an organisation suffering a breach that is ‘likely to result in a high risk to the rights and freedoms of individuals’, will have to tell affected individuals (ie, customers, or patients for example) ‘without undue delay’.
This obligation means those who now stay silent will have to go public. All this means there’ll be greater scrutiny by media and the public of how organisations deal with a breach. Which means a much greater risk for reputational damage. Naturally this places much greater emphasis on communications and crucially, planning for crisis communications.
A government survey earlier this year showed two thirds of large UK businesses have been hit by a cyber breach or attack in the last year. Media coverage and therefore awareness of cyber security and related issues are growing.
It’s surprising therefore how unprepared so many organisations are. At a recent security event I attended, 50 companies were asked if they had any communications planning in place in case of a cyber breach. No one put up their hands.
Studies have shown that the more effectively and efficiently a crisis is handled, not only is the reputational damage more likely to be limited but the process of recovery is quicker in the following months.
There are a few immediate things to think about. Does your business have an existing crisis plan and procedure? Is it current and do the people involved in it know how it works? Is it suitable for addressing a cyber issue? How recently have you tested it?
At CNC we work alongside insurers providers, law firms, forensic and security companies, providing clients with expert advice on communications for all aspect cyber security. This includes everything from auditing existing procedures, reviewing or writing crisis manuals and running simulation workshops to dealing with live crises and providing immediate crisis response around the clock.
That date in 2018 seems a long way off. But for any organisation who manages user or customer data, it shouldn’t be. It should seem like tomorrow.