Archive

Tag Archives: GDPR

Today I published an updated and strengthened Privacy Policy on this website. The policy is one component of the considerable work required to prepare for the European Union’s General Data Protection Regulation (GDPR) – due to come into effect on May 25, 2018.

Initially fairly daunting for a small operator, I came to appreciate that the GDPR also presents an opportunity to build strong relationships and trust on the basis of a real commitment to the security, privacy and confidentiality of my clients and the users of my website and other channels.

Equal treatment for everyone

While the GDPR focuses on protecting the personal information of EU citizens, I strongly believe that data privacy is a right that belongs to you, wherever you are.

Given the fact that the GDPR is widely seen as the global gold standard for personal privacy – a standard that sits above (and in many cases, significantly above) those set in other countries and jurisdictions – means that you can expect me to apply equally the principles and rights associated with the regulation to everyone, everywhere.

OK, so what does this mean in practice?

The new Privacy Policy should give you a good idea what this means in terms of the day-to-day collection, management and use of your personal information, as well as your rights to access and control that information.

Behind the scenes, I have been reducing the amount of data I hold on my clients and others. For example, personal information about a client is now reduced to the bare minimum once a project has finished or a contract expired. In addition, personal information about all business contacts has been taken off the cloud and stored locally, encryption beefed up, and passwords strengthened and changed more regularly.

Much of my business comes from referrals, which means I do little or no direct or email marketing, online commerce, or online customer support. This may change as I continue to expand my business, and in all cases will involve me clearly telling you what information is being collected about you, why it is being collected, and who, if anyone, it may be shared with and for what reason.

Stay in touch

Protecting your personal privacy is not just about hitting a deadline – it is an ongoing process.

Stay tuned to this blog for further updates, and do send any feedback, comments or questions you have to privacy@charliepownall.com.

There has been much talk in the PR/communications industry about GDPR, mostly concerning marketing and media relations from a compliance perspective. There has also been considerable discussion in the legal and cybersecurity worlds about what GDPR means for data breach reporting.

By contrast, there has been relatively little guidance on how communicators should prepare to handle data breaches under the EU’s tough new regulatory regime. Given the volume of high-profile breaches, widespread anxiety about privacy, and low levels of trust in companies, it is essential that companies get their communications response right.

GDPR notification and communications grey areas

The GDPR ups the ante significantly. Article 29 requires the mandatory notification to customers (in addition to regulators) of a data breach, data loss, or data leak within 72 hours if it is seen to pose a ‘high risk’ to the rights and freedoms of individuals in terms of identity theft or fraud, financial loss, damage to reputation, discrimination, or emotional distress.

Despite clarification from the EU Article 29 working party in the form of Guidelines of Personal Data Breach Notification (pdf), some operational, legal – and reputational – grey areas exist, notably concerning:

  • Timing – what constitutes a ‘reasonable’ degree of certainty that a breach has occurred
  • Level of risk – how to define that a risk to individuals’ rights and freedoms is ‘high’
  • Loss of availability – whether a breach is temporary, or permanent.

These grey areas, outlined in more detail in the slides below, may cause companies to delay or even avoid the disclosure of a known breach.

 

How PRs should prepare for GDPR

Here are five steps for PR/communications teams to prepare for the likelihood of having to respond to a data breach under GDPR:

  1. Understand GDPR and notification requirements, grey areas and best practices
  2. Educate leadership, legal, IT, security and other stakeholders about customer and stakeholder privacy needs and expectations; cyber/data breach reputation trends, risks and impact; and the role of communications in data breach preparation and response
  3. Ensure PR/communications is represented on relevant cybersecurity committees and teams
  4. Develop/update your corporate data breach response and crisis communications plans by assessing and prioritising different types of data breach risks to your organisation, including the reputational risks to your organisation, and for the individuals impacted; and developing communications plans for different types of breach
  5. Test and update these plans regularly – specifically data breach protocols and processes; messaging and content; your digital/social media dialogue and feedback capabilities; and leadership decision-making and team dynamics.

UK Infomation Commissioner Elizabeth Denham says the ICO will be proportionate in how the ICO levies sanctions and fines. Nobody wants a fine, yet the long-term reputational impact can be far more onerous.

Are you ready for a data breach? Test your reputational defences with Charlie Pownall’s Data Breach Preparedness and Response advisory and training services.

%d bloggers like this: