Time is ticking, get ready for GDPR



In just under a year’s time the European Union will bring into force the General Data Protection Regulation (GDPR), an effort to unify and strengthen data protection for individuals and bring about greater transparency and accountability from those companies that hold their data.

If they haven’t yet, businesses handling the data of EU Citizens need to start taking steps towards compliance. This includes UK businesses as Britain will still be an EU member and the regulations will continue to apply if businesses handle the data of those in the remaining EU states. It is likely that the regulation will continue to be part of UK law. 28 May 2018 is just around the corner and there are a number of important implications to consider.

The main objective of GDPR is to give people greater control and better safeguards when it comes to the storage and use of their personal data and to simplify the regulatory environment for international businesses, which currently have to work with different regulations in each member state.

In short, the three main implications for businesses are:

  • Increased accountability: Companies will need to set up data controllers and processors to ensure adequate record-keeping and appropriate security standards. If dealing with large amounts of data or in the case of public companies, a data protection officer will have to be designated. Comprehensive governance measures will also need to be developed if not in place yet.
  • Obligation to inform authorities: A company will need to inform the authorities within 72 hours of becoming aware of a data breach that poses a risk to the data they hold.
  • Tougher fines: For serious offences, a fine up to 20m Euro or 4% of the company’s total global turnover, whichever is higher, may be imposed. Less serious offences will still face a fine of up to €10m or 2% of total global turnover, whichever is higher.

The demand that companies report a data breach within 72 hours of becoming aware of it poses some serious consequences for communications professionals and the organisations they work in.

Clearly the concept of ‘awareness’ is likely to face challenges and it is likely it will take legal precedence to establish ‒ in many instances cyber issues can be suspected but not necessarily detected without further investigation. But the reality is that many of the issues that thus far have been managed internally and contained will now have to be made public, with the associated reputational risk and potential for client panic.

Furthermore, any failure to meet the requirements to report on a data breach could have similarly severe consequences for the business, and not just from a monetary perspective. It could potentially damage its reputation and bottom line in the short and long term as any punitive action against a business will likely be seen as an admission of culpability.

What should communications professionals do?

First, it is advisable to carry out an audit of the firm’s data privacy policy and the communications processes in place in case of a data breach. This audit should be part of a strategic review, working with senior management and operations departments.

Second, once there is a clear understanding of the existing processes and where the gaps are in relation to the requirements imposed by GDPR, a working group should develop protocols to be deployed in case of a cyber breach. It is important that this working group involves C-level executives, IT, compliance and data officers as well as the senior communications team.

Third, the company must ensure that all security measures are implemented, that training is provided and that its customers are aware of the protection of their personal data at all times.

Finally, in the event of a breach, communications professionals must ensure that the protocols established earlier are implemented as planned, and that the authorities are fully informed within the first 72 hours from when it believes the breach occurred. This provides less time to work ‘on-the-job’ and thus necessitates greater preparedness work, such as the pre-drafting of statements, Q&A and memos for ‘most likely’ risks.

While this may be seen as inconvenience at best and an infringement of business confidentiality at worst, organisations should see GDPR as an opportunity to prevent reputational damage and improve their image. Being seen as taking data security seriously will help customers feel more secure and increase trust in the company. Trust and reputation go hand-in-hand.

A year might seem a long way to go, but risking not being compliant by 28 May 2018 could have very serious consequences to any organisation. Take action now!


Marina Jane-Sanchez

Marina Jane-Sanchez

More posts