There has been much talk in the PR/communications industry about GDPR, mostly concerning marketing and media relations from a compliance perspective. There has also been considerable discussion in the legal and cybersecurity worlds about what GDPR means for data breach reporting.
By contrast, there has been relatively little guidance on how communicators should prepare to handle data breaches under the EU’s tough new regulatory regime. Given the volume of high-profile breaches, widespread anxiety about privacy, and low levels of trust in companies, it is essential that companies get their communications response right.
GDPR notification and communications grey areas
The GDPR ups the ante significantly. Article 29 requires the mandatory notification to customers (in addition to regulators) of a data breach, data loss, or data leak within 72 hours if it is seen to pose a ‘high risk’ to the rights and freedoms of individuals in terms of identity theft or fraud, financial loss, damage to reputation, discrimination, or emotional distress.
Despite clarification from the EU Article 29 working party in the form of Guidelines of Personal Data Breach Notification (pdf), some operational, legal – and reputational – grey areas exist, notably concerning:
- Timing – what constitutes a ‘reasonable’ degree of certainty that a breach has occurred
- Level of risk – how to define that a risk to individuals’ rights and freedoms is ‘high’
- Loss of availability – whether a breach is temporary, or permanent.
These grey areas, outlined in more detail in the slides below, may cause companies to delay or even avoid the disclosure of a known breach.
How PRs should prepare for GDPR
Here are five steps for PR/communications teams to prepare for the likelihood of having to respond to a data breach under GDPR:
- Understand GDPR and notification requirements, grey areas and best practices
- Educate leadership, legal, IT, security and other stakeholders about customer and stakeholder privacy needs and expectations; cyber/data breach reputation trends, risks and impact; and the role of communications in data breach preparation and response
- Ensure PR/communications is represented on relevant cybersecurity committees and teams
- Develop/update your corporate data breach response and crisis communications plans by assessing and prioritising different types of data breach risks to your organisation, including the reputational risks to your organisation, and for the individuals impacted; and developing communications plans for different types of breach
- Test and update these plans regularly – specifically data breach protocols and processes; messaging and content; your digital/social media dialogue and feedback capabilities; and leadership decision-making and team dynamics.
UK Infomation Commissioner Elizabeth Denham says the ICO will be proportionate in how the ICO levies sanctions and fines. Nobody wants a fine, yet the long-term reputational impact can be far more onerous.