The Information Commissioner’s Office (ICO) looks like it has a point to make. The hefty fines it has imposed on British Airways and Marriott send a clear message: comply with GDPR or pay the price. The grace period is well and truly over.
A data breach is every communicator’s worst nightmare. It is an event that corporate communication teams have little ability to prevent and yet they are responsible for cleaning up the mess.
GDPR gives regulators the power to fine up to 20M Euros or 4% of global turnover, whichever is higher. British Airways was fined 1.5% of global turnover, so the fine could have been a lot more.
Not only have the fines got bigger but the risk of being fined has also increased. Data protection complaints have almost doubled year-on-year from 21,019 to 41,661.
With data breaches happening to every organisation, regardless of size and scale, PR and corporate communications teams must be ready to respond, and fast.
A crisis on steroids
Having worked at an organisation that was hit by a data breach, thankfully in the days pre-GDPR, I can tell you a data breach is like a crisis on steroids. Even companies with well-oiled crisis management processes can struggle with the multiple dimensions of a data breach.
The challenge with cyber breaches is that so many elements need to be aligned. A breach affects every stakeholder, from employees and customers to investors, partners and regulators. Communications must be consistent, fast and well-timed to make sure that no one hears about it before others. Additionally, and particularly now with the 72 hour reporting window, companies must often communicate before having all the facts.
It can take several days or weeks to ascertain the true extent of a data breach and who is vulnerable, yet PR teams must be ready to communicate long before all the facts are known.
Plan, test and repeat
There is no time to learn on the job so organisations must be prepared. A solid communications plan tested by regular simulation can not only help to minimise the reputational damage but it might also help to soften the financial damage.
One of the things a good plan should include is a list of stakeholders that you need to communicate with and an outline timeline for communications.
Often the first people that organisations will think to communicate to during a data breach are the people who have been affected, and rightly so. While the priority must always be to minimise risk and protect or warn those who have been affected, effective communication with other stakeholders should be aligned. For example, a customer shouldn’t be aware before investors or vice versa.
Don't forget the ICO
The ICO should also be included in the communications plan. While good communication with the ICO will not save you from a fine, it can help the ICO to look more favourably at your case. Being perceived as responsive, diligent and organised by responding promptly and openly to questions will help to give the impression that you are managing the breach in a responsible way.
But it’s about more than just perceptions, being able to demonstrate actions can also help your case with the ICO. Showing them that you have clearly communicated the breach to those affected is important, as is acting quickly and transparently.
You only truly know if your plan is a good one by testing it. There is no time for learning on the job so holding a realistic cyber-breach simulation is the best way to do this. A simulation can help you identify stakeholder owners, test your ability to align messages and help you identify any template statements or materials that you could prepare now.
Understanding responsibilities and having some template emails or statements that can be easily adapted can save you critical hours or even a full day’s work in the event of a breach.
A crisis simulation can also help iron out any differences between your legal teams and communications teams. Often an area where disagreements might arise that could delay or complicate a response.
While no amount of preparation from PR teams can prevent a data breach from happening, a tried and tested crisis communications response plan can have a huge impact on limiting financial and reputational damage.