Archive

Tag Archives: Data protection

Complex, technical and emotive, data breaches are tough communications and reputational challenges at the best of times.

The EU’s GDPR ups the ante. Not only does it raise the prospect of bigger fines but it increases the likelihood of greater legal liability and reputational damage.

Widely regarded as the gold standard for data privacy across the world, GDPR is being adopted by many countries and regions, including the Asia-Pacific Economic Cooperation.

What does the GDPR mean for business leaders, communicators, risk managers, lawyers and others preparing for tougher data privacy laws across Asia and responding to data breaches in the EU?

Here are some important principles to bear in mind:

Take swift, decisive action to address the problem 

Companies have no option other than to move fast under GDPR. There are only 72 hours to establish what has happened, assess the likely damage, notify the regulator(s) and communicate with those impacted can seem like precious little time, especially when the facts remain unclear.

Notification and communication can appear especially daunting when the hole remains open and the facts are unclear. Yet, the quicker a company moves to fix the hole and the more decisively it does it, the more likely it will be able to limit the actual and potential damage and rebuild confidence.

Err on the side of caution, but do not panic

It is easy to feel like you are being press-ganged into publicly disclosing a data breach. In fact, not all breaches need to be reported to the regulator, and some don’t need to be reported within 72 hours.

Some breaches do not pose a high risk to those impacted, while others may be considered temporary. In some cases, the data involved is unintelligible and/or already in the public domain, in others, the effort involved in notifying the regulator may be considered disproportionate to the actual or likely damage.

In such instances, a company may choose to inform the customer of an incident without notifying the regulator or making a public statement—provided it is confident it is on a safe footing legally.

However, generally, it is best to err on the side of caution and report a breach to the regulator. If one is unclear, information regulators will generally advise whether it needs to be reported. They may also provide guidance on whether it should be communicated with those impacted.

That said, there may be some instances in which you feel it is more important to communicate immediately with those impacted, before notifying the regulator. For example, where the data involved is extremely sensitive, or where a supplier processing data for a business customer is breached.

There are also good reasons to be wary of going straight to the data subject. Customer and stakeholder expectations vary widely on data privacy and, in the wake of an incident, their behaviours can conflict. And news of a breach typically becomes public as soon as it has been communicated with those impacted.

Whichever route you choose, it is usually best to err on the side of caution. There’s no need to panic.

Be open and honest

The GDPR and emerging data privacy policy frameworks are fundamentally about transparency and trust, with organisations expected to be open and honest about data privacy in general and data breaches specifically.

EU information regulators have said they will take seriously anything that puts these twin principles into jeopardy and that they are willing to expand investigations beyond assessing IT/cybersecurity governance and controls to testing compliance in areas like technical competence and education and training.

The same goes for customers in Asia, who increasingly expect organisations to be honest about their shortcomings and to move quickly when something goes wrong.

Consider carefully how those impacted might be affected

Understandably, company leaders and executives fret primarily about the sensitivity and volume of data involved in a breach and what it means for the well-being of their employer. But it is just as important to pay close attention to those impacted and to the context in which the incident has occurred.

In August 2018, British Airways suffered a major breach involving the personal and financial details of over 500,000 customers. Despite no evidence of fraudulent financial activity at the time, British Airways quickly appreciated that the potential for lasting reputational damage was significant, given the large number of payment card and CVV numbers involved.

Hence the airline’s decision when it acknowledged the breach to offer compensation to customers for any financial hardship suffered—a promise that may result in significant payouts and higher insurance premiums going forward. The decision almost certainly also took into account the overwhelmingly negative reaction to the airline’s 2017 IT systems outage.

Consider carefully the needs and expectations of those impacted, the degree of external and internal scrutiny the incident attracts, your firm’s historic reputation, perceived culpability and other factors when you respond to a breach.

Don’t walk away

From a communications perspective, it is tempting to treat a breach as a one-off negative event to be resolved with a little timely public grovelling.

This is a mistake.

Nowadays, people take naturally to social media to vent their experiences and concerns, which can easily spiral into secondary news stories. Leaks are common, and breaches easily bleed into other business issues, thereby aggravating the situation and elongating the news cycle.

Worse, GDPR means regulatory investigations, fines and litigation are more likely, resulting in additional negative publicity. In the process, you may also come under greater pressure to publish internal and expert investigative reports.

It is important to understand that a breach is often just the start of the reputational battle, and that you must stay – and be seen to stay – the distance in all facets of your response if you are to have any real chance of success. 

Align your response

The messiness and complexity of data breaches and the need for different business units to be involved in the response can result in sloppy, inadequate, or inconsistent communications.

Given the expanded legal obligations under GDPR, the likelihood of the emergence of equivalent regimes across Asia and heightened public awareness of data privacy rights, it is particularly important that companies’ legal and communications responses are properly aligned.

Legal and communications teams can sometimes be at loggerheads, so this is not necessarily as straightforward as it sounds. It need not be difficult. Unlike in a court of law, in the court of public opinion, a business is presumed guilty until it proves its innocence.

This doesn’t just mean one should be as open and honest as possible and that one’s rhetoric always meets reality. It means that a company must look at the wider picture, avoid inappropriate legal threats, actions, and lawyerly sounding statements, and apologize sincerely when it is at fault.

By following these principles, you will be less likely to botch your business and communications response to a data privacy incident.

More important, you will be in a much better position you to persuade your customers and others that you are acting in their best interests.

This article was first published on BRINK Asia

Today I published an updated and strengthened Privacy Policy on this website. The policy is one component of the considerable work required to prepare for the European Union’s General Data Protection Regulation (GDPR) – due to come into effect on May 25, 2018.

Initially fairly daunting for a small operator, I came to appreciate that the GDPR also presents an opportunity to build strong relationships and trust on the basis of a real commitment to the security, privacy and confidentiality of my clients and the users of my website and other channels.

Equal treatment for everyone

While the GDPR focuses on protecting the personal information of EU citizens, I strongly believe that data privacy is a right that belongs to you, wherever you are.

Given the fact that the GDPR is widely seen as the global gold standard for personal privacy – a standard that sits above (and in many cases, significantly above) those set in other countries and jurisdictions – means that you can expect me to apply equally the principles and rights associated with the regulation to everyone, everywhere.

OK, so what does this mean in practice?

The new Privacy Policy should give you a good idea what this means in terms of the day-to-day collection, management and use of your personal information, as well as your rights to access and control that information.

Behind the scenes, I have been reducing the amount of data I hold on my clients and others. For example, personal information about a client is now reduced to the bare minimum once a project has finished or a contract expired. In addition, personal information about all business contacts has been taken off the cloud and stored locally, encryption beefed up, and passwords strengthened and changed more regularly.

Much of my business comes from referrals, which means I do little or no direct or email marketing, online commerce, or online customer support. This may change as I continue to expand my business, and in all cases will involve me clearly telling you what information is being collected about you, why it is being collected, and who, if anyone, it may be shared with and for what reason.

Stay in touch

Protecting your personal privacy is not just about hitting a deadline – it is an ongoing process.

Stay tuned to this blog for further updates, and do send any feedback, comments or questions you have to privacy@charliepownall.com.

There has been much talk in the PR/communications industry about GDPR, mostly concerning marketing and media relations from a compliance perspective.

There has also been considerable discussion in the legal and cybersecurity worlds about what GDPR means for data breach reporting.

By contrast, there has been relatively little guidance on how communicators should prepare to handle data breaches under the EU’s tough new regulatory regime.

Given the volume of high-profile breaches, widespread anxiety about privacy, and low levels of trust in companies, it is essential that companies get their communications response right.

GDPR notification and communications grey areas

The GDPR ups the ante significantly. Article 29 requires the mandatory notification to customers (in addition to regulators) of a data breach, data loss, or data leak within 72 hours if it is seen to pose a ‘high risk’ to the rights and freedoms of individuals in terms of identity theft or fraud, financial loss, damage to reputation, discrimination, or emotional distress.

Despite clarification from the EU Article 29 working party in the form of Guidelines of Personal Data Breach Notification (pdf), some operational, legal – and reputational – grey areas exist, notably concerning:

  • Timing – what constitutes a ‘reasonable’ degree of certainty that a breach has occurred
  • Level of risk – how to define that a risk to individuals’ rights and freedoms is ‘high’
  • Loss of availability – whether a breach is temporary, or permanent.

These grey areas, outlined in more detail in the slides below, may cause companies to delay or even avoid the disclosure of a known breach.

How communicators should prepare for GDPR

Here are five steps for PR/communications teams to prepare for the likelihood of having to respond to a data breach under GDPR:

  1. Understand GDPR and notification requirements, grey areas and best practices
  2. Educate leadership, legal, IT, security and other stakeholders about customer and stakeholder privacy needs and expectations; cyber/data breach reputation trends, risks and impact; and the role of communications in data breach preparation and response
  3. Ensure PR/communications is represented on relevant cybersecurity committees and teams
  4. Develop/update your corporate data breach response and crisis communications plans by assessing and prioritising different types of data breach risks to your organisation, including the reputational risks to your organisation, and for the individuals impacted; and developing communications plans for different types of breach
  5. Test and update these plans regularly – specifically data breach protocols and processes; messaging and content; your digital/social media dialogue and feedback capabilities; and leadership decision-making and team dynamics.

UK Infomation Commissioner Elizabeth Denham says the ICO will be proportionate in how the ICO levies sanctions and fines. Nobody wants a fine, yet the long-term reputational impact can be far more onerous.

Are you ready for a data breach? Test your reputational defences with Charlie Pownall’s Data Breach Preparedness and Response advisory and training services.

A ruling that UK supermarket chain Morrisons is ‘vicariously’ liable for a payroll data leak of almost 100,000 staff by a disgruntled former employee has many legal ramifications. It also has significant potential reputational implications.

To reiterate: Aggrieved that he has been discovered running an eBay sales business through Morrison’s mailroom, then senior auditor Andrew Skelton copied and uploaded the salaries, bank details, national insurance information, postal addresses and telephone numbers of nearly 100,000 of his colleagues to a file-sharing website.

Three months later, seemingly unable to attract a buyer, Skelton sent the data to three newspapers (all of which covered the story but refused to publish the data). Within days, Skelton has been identified and arrested. He was convicted and imprisoned in July 2015.

5,518 current and former employees subsequently decided to take Morrisons to court in the first data leak class action in the UK and, in December 2017, they won on the basis of vicarious liability (in which Morrisons, as his employer, was seen to be responsible for Skelton’s actions as the data controller). The ruling is seen as unusual as the leak did not result in any reported concrete financial loss for employees.

Legal commentators have noted that while the ruling can be contested at Courts of Appeal (Morrisons have confirmed their intention to appeal), and compensation is yet to be determined, an increase in data privacy class actions in the UK and a rise in legal payouts is now possible.

The ruling also potentially poses greater reputational risks for companies suffering employee-driven data leaks, including:

  • The threat of significant negative media coverage as a result of class action litigation
  • Increased scrutiny from regulators, politicians and other decision-makers
  • The perception that leadership is insufficiently knowledgeable about and/or invested in IT/cybersecurity
  • The erosion of staff loyalty and the company’s ability to recruit new talent
  • Reduced customer loyalty and loss of sales.

As if they haven’t got enough on their plates with GDPR, the Morrisons data leak ruling adds to pressure on companies to:

  • Reinforce their overall IT/cybersecurity governance and management
  • Strengthen their Incident Response and Crisis Communications Plan(s) 
  • Enhance their leadership and employee data privacy communication, training and education programmes.

Plenty for communicators, as well as for company leaders, lawyers and IT/cybersecurity teams to sink their teeth into over the coming weeks and months.

Are you ready for a data breach? Test your reputational defences with Charlie Pownall’s Data Breach Preparedness and Response advisory and training services.

%d