Archive

Crisis communications

There has been much talk in the PR/communications industry about GDPR, mostly concerning marketing and media relations from a compliance perspective.

There has also been considerable discussion in the legal and cybersecurity worlds about what GDPR means for data breach reporting.

By contrast, there has been relatively little guidance on how communicators should prepare to handle data breaches under the EU’s tough new regulatory regime.

Given the volume of high-profile breaches, widespread anxiety about privacy, and low levels of trust in companies, it is essential that companies get their communications response right.

GDPR notification and communications grey areas

The GDPR ups the ante significantly. Article 29 requires the mandatory notification to customers (in addition to regulators) of a data breach, data loss, or data leak within 72 hours if it is seen to pose a ‘high risk’ to the rights and freedoms of individuals in terms of identity theft or fraud, financial loss, damage to reputation, discrimination, or emotional distress.

Despite clarification from the EU Article 29 working party in the form of Guidelines of Personal Data Breach Notification (pdf), some operational, legal – and reputational – grey areas exist, notably concerning:

  • Timing – what constitutes a ‘reasonable’ degree of certainty that a breach has occurred
  • Level of risk – how to define that a risk to individuals’ rights and freedoms is ‘high’
  • Loss of availability – whether a breach is temporary, or permanent.

These grey areas, outlined in more detail in the slides below, may cause companies to delay or even avoid the disclosure of a known breach.

How PRs should prepare for GDPR

Here are five steps for PR/communications teams to prepare for the likelihood of having to respond to a data breach under GDPR:

  1. Understand GDPR and notification requirements, grey areas and best practices
  2. Educate leadership, legal, IT, security and other stakeholders about customer and stakeholder privacy needs and expectations; cyber/data breach reputation trends, risks and impact; and the role of communications in data breach preparation and response
  3. Ensure PR/communications is represented on relevant cybersecurity committees and teams
  4. Develop/update your corporate data breach response and crisis communications plans by assessing and prioritising different types of data breach risks to your organisation, including the reputational risks to your organisation, and for the individuals impacted; and developing communications plans for different types of breach
  5. Test and update these plans regularly – specifically data breach protocols and processes; messaging and content; your digital/social media dialogue and feedback capabilities; and leadership decision-making and team dynamics.

UK Infomation Commissioner Elizabeth Denham says the ICO will be proportionate in how the ICO levies sanctions and fines. Nobody wants a fine, yet the long-term reputational impact can be far more onerous.

Are you ready for a data breach? Test your reputational defences with Charlie Pownall’s Data Breach Preparedness and Response advisory and training services.

Tim Bell has been widely – and rightly, in my opinion – excoriated for his ‘car crash’ Newsnight appearance before Kirsty Wark defending his role in Bell Pottinger’s demise.

With his (former) company on the verge of bankruptcy, his own name being dragged through the mud, and mindful of the potential impact of his own consultancy Les Frontieres, Bell set out to distance himself from events, and from his sparring partner James Henderson.

Arguably, he just about managed it, even if he also came across as arrogant, dismissive, and shifty.

He also made a notable gaff by leaving his phone switched on.

But was this the silly, cringe-worthy error it appeared?

Bell is a seasoned PR hand who prepped Margaret Thatcher, amongst others, for media interviews.

There is almost zero chance he would accidentally have left his phone on. And even less chance that he would have failed to turn it off again during a high-profile, high stakes interview.

Bell deliberately left his phone on and enlisted friends to call and message him in order to disorientate and distract his interviewer from the outset.

The diversionary tactic failed. Wark stuck doggedly to her task and proved she was not for turning – leaving Bell in an even deeper hole.

Thatcher must be looking askance in her grave.

Crisis Proofing - How to Save your Company from Disaster, by Tony Jaques

Whey protein concentrate (‘WPC 80’) may not be the best known or sexiest product, but it is certainly big business. Deriving from cow’s milk, and a by-product of cheese production, it is used in baby formula, beverages, and a host of food supplements, including for bodybuilders.

Like other dairy products, WPC 80 is susceptible to contamination, the result of which can be deadly when digested. So when Fonterra, New Zealand’s largest company and the world’s largest dairy products producer discovered in July 2013 that 38 tonnes of concentrate had tested positive for botulism, a recall was quickly announced.

The trouble was, later tests by the government found no evidence of botulism and that the recall had been a false alarm. However, considerable damage had already been done to Fonterra, with several countries announcing milk product import bans and the company’s reputation for product quality in severe jeopardy.

The company’s independent inquiry (summary – pdf) into the incident concluded that, among other things, Fonterra was ‘not ready for a crisis of this magnitude’, that there had been a ‘failure to join the dots’ between botulism, infant food products, consumer sensitivities and the firm’s reputation, and that the company’s risk and crisis processes needed overhauling.

Fonterra’s top brass would have done well to have read Crisis Proofing, Tony Jaques’ book on how organisations should reduce the chances of a crisis happening and minimise the damage that may arise should a crisis occur.

While he gives many useful tips on crisis response, including how to navigate legal advice on apologies, Jaques’ background in issues management means his insights and practical tips on the leadership mindset, strategic approach and planning processes that enable companies to avoid train wrecks in the first place are particularly valuable.

In my experience, many companies place undue emphasis on identifying risks (especially, given their slippery nature, reputational risks), at the expense of ensuring their issues management processes work properly – an area Jaques excels in. For example, he lambasts the probability/impact and significance/influence issue prioritisation models as crude and over-simplified and instead sets out a more comprehensive and nuanced proprietary model based on an issue’s Impact, Salience, Visibility, Affectability, Proximity and Profile.

Jaques also takes aim at the reactive and ad hoc approach taken by many organisations to managing issues. Too often, he says, companies are overly focused on recording and tracking risks, and tweaking the identification, tracking and decision-making processes for the benefit of management and risk committees, as opposed to actively working to resolve them in a clear and strategic way. By contrast, his Do-it issue management model (chapter 8) is a model of clarity, practicality and focus.

At the heart of Crisis Proofing is a call for mindful leadership of the top-down variety that can seem contrary to the open and horizontal forms of organisational decision-making pushed by some contemporary management thinkers. Yet, as Jaques argues, effective crisis management demands hands-on, decisive and swift decision-making at the very top of the organisation, and a willingness to learn from mistakes and make changes.

As such, while many of the tips in Crisis Proofing are useful in day-to-day risk, issues and crisis management, the book is especially relevant to those leaders and senior decision-makers directly responsible for their organisation’s strategy, culture and reputation.

It is a book I recommend wholeheartedly.

Disclosure: I was asked by the author to review the chapter of Crisis Proofing on social media, and was subsequently provided with a review copy of the book by Oxford University Press. I also discuss Fonterra’s WPC 80 botulism scare in my book Managing Online Reputation

%d bloggers like this: