Well, the General Data Protection Regulation (GDPR) is with us, and I am sure that you have all got your policies and procedures in order and your data classified, protected and secured. Perhaps not, not yet anyway, but you’ll be there soon, no doubt.
Even those who are well-prepared remain at risk of some kind of crisis. This may derive from oversight or omission, but it is as likely to come up because the bad guys, in their various flavours, often manage to be one jump ahead of the defences.
Research by FTI Consulting with more than 500 UK business managers in large companies shows that there remains considerable concern about the ability of organisations to cope with a GDPR related crisis, about their organisations’ vulnerability and about the potential damage to their reputation if such an event took place. Talk-Talk and British Airways are examples of companies which faced very substantial public backlash following some kind of failure (not just GDPR privacy-related failure) for which they were evidently unprepared.
FTI Consulting offers a GDPR crisis response and reputation management service from which the statistics shown above come. They give examples such as:
- Data breach or cyber incident involving personal data, such as employee theft, lost laptop and inappropriate sharing to a third party
- Data protection authority enforcement action or investigation
- Responding to data subject rights including right of access, rectification, erasure, portability
The page linked to above includes a short video talk by Senior Managing Director Craig Earnshaw describing the sort of events which give rise to such a crisis and how FTI helps both in preparation for events like this and for managing them if and when they occur.
Craig Earnshaw is always good at these things anyway but, as one who increasingly uses video to transmit messages, I have to take my hat off to whoever filmed this one. If you look closely at the television set on the wall behind Craig, you will see that at about 01:10, just as Craig refers to “a GDPR-related crisis” a large explosion appears on the screen. At 01:31, as Craig talks about the importance of communication, the scene switches to a man at a microphone. This is subliminal messaging of a high order.
You do not need this extra touch to get the message out about the importance of planning for a crisis, as a technical matter, as a client support matter and as a communications matter.