Search

Awards
BioScience
Brand
Brexit
Careers
Consumer Trends & Insight
Corporate Reputation
Crisis
Culture
Digital Trends
Employee Engagement
Energy
Entertainment
Financial
General
General Election
Government Affairs
Health
Innovation
Life At Edelman
Media
News
Purpose
Sectors
Technology
Trust
Women In The World
Purpose
Influencer Marketing
Integrated Marketing
Digital Design
Brand Marketing
Healthcare
Film Production
Community Management
Media Relations
Experiential
Corporate Communications & Advisory
Brand Strategy
Energy
Data & Research
Financial Services

Search

2 May 2018

GDPR - You are ready, now what?

Written by: Duncan Gallagher, Senior Director at Edelman

General

This month, all organisations that hold any data on individuals that operate in the European Union will be subject to legislation set out in the new General Data Protection Regulation (GDPR).

With compliance should come preparation for what could go wrong. While the GDPR regulations are very prescriptive in what must be done, the nuances of what needs to be considered to ensure your notification is effective as well as compliant is key to protecting an organisation’s reputation.

The core notification principles of GDPR are:

  • Data breaches must be reported to the ICO (Information Commissioner Officer) within 72 hours of discovery
  • Submission should be made in written format
    • If not all the required information is available, it’s acceptable to submit the information in stages
  • The following information must be supplied as part of the notification:
    • A description of the nature of the personal data breach including, where possible:
      • The categories and approximate number of individuals concerned; and
      • The categories and approximate number of personal data records concerned;
    • The name and contact details of the data protection officer (if the organisation has one) or other contact point where more information can be obtained
    • A description of the likely consequences of the personal data breach; and
    • A description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.

The last two highlighted points are key. The more detail that can added here the better. A detailed notification that demonstrates the organisation was and is on top of its data management processes and has a very good understating of the potential impact on those whose data has been affected is crucial to convey.

The GDPR regulations clearly state that if a breach is likely to result in a high risk to the rights and freedoms of individuals, you must inform those concerned directly and without undue delay. In other words, this should take place as soon as possible.

When notifying individuals, you need to be able to describe, in clear and plain language, the nature of the personal data breach.

More importantly, organisations need to prepare in detail the different options they have when it comes to physically notifying affected people. It is very likely that email may not be available as this may have been compromised and recipients may regard it as spam and ignore it. So other means like postage need to be considered, dependent on what data the organisation holds.

Following notification, organisations need to invest in customer service support. If the breach is significant it will generate a lot of inbound enquiries and organisations need to have the resource in place to cope with this – failure to do so could result in more reputational damage than the actual breach.

While media interest needs to be planned for, they should be regarded as one of the many stakeholders that need to be considered. Staff need to be kept updated as there is a very good chance their data will be impacted as part of the breach.

Like all regulations, compliance is just one part of the process, being prepared, rehearsed and aware of how you would respond if you breach the regulation is key to ensuring your reputation remains intact.

A version of this post first appeared on Edelman.com

Please update your browser.

This website requires Chrome, Firefox, Safari or Internet Explorer 9+