In one month’s time all organizations that hold any data on individuals that operate in the European Union will be subject to legislation set out in the new General Data Protection Regulation (GDPR).
With compliance should come preparation for what could go wrong. While the GDPR regulations are very prescriptive in what must be done, the nuances of what needs to be considered to ensure your notification is effective as well as compliant is key to protecting an organization’s reputation.
The core notification principles of GDPR are:
- Data breaches must be reported to the ICO (Information Commissioner Officer) within 72 hours of discovery
- Submission should be made in written format
- If not all the required information is available, it’s acceptable to submit the information in stages
- The following information must be supplied as part of the notification:
- A description of the nature of the personal data breach including, where possible:
- The categories and approximate number of individuals concerned; and
- The categories and approximate number of personal data records concerned;
- The name and contact details of the data protection officer (if the organization has one) or other contact point where more information can be obtained;
- A description of the likely consequences of the personal data breach; and
- A description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.
- A description of the nature of the personal data breach including, where possible:
The last two highlighted points are key. The more detail that can added here the better. A detailed notification that demonstrates the organization was and is on top of its data management processes and has a very good understating of the potential impact on those whose data has been affected is crucial to convey.
The GDPR regulations clearly state that if a breach is likely to result in a high risk to the rights and freedoms of individuals, you must inform those concerned directly and without undue delay. In other words, this should take place as soon as possible.
When notifying individuals, you need to be able to describe, in clear and plain language, the nature of the personal data breach.
More importantly, organizations need to prepare in detail the different options they have when it comes to physically notifying affected people. It is very likely that email may not be available as this may have been compromised and recipients may regard it as spam and ignore it. So other means like postage need to be considered, dependent on what data the organization holds.
Following notification, organizations need to invest in customer service support. If the breach is significant it will generate a lot of inbound enquiries and organizations need to have the resource in place to cope with this – failure to do so could result in more reputational damage than the actual breach.
While media interest needs to be planned for, they should be regarded as one of the many stakeholders that need to be considered. Staff need to be kept updated as there is a very good chance their data will be impacted as part of the breach.
Like all regulations, compliance is just one part of the process, being prepared, rehearsed and aware of how you would respond if you breach the regulation is key to ensuring your reputation remains intact.
Duncan Gallagher is Crisis Practice Lead, Edelman Europe.