With GDPR being the hot topic of the moment, it’s worth taking a second to think about what would happen if your business data was leaked.
You may be thinking “why would anyone target me and my business”, but it’s not always your personal files that are hacked; it might be a cloud-based system like Google Drive or Dropbox that is compromised.
By definition, a data breach is a security issue where sensitive, protected or confidential data is copied, viewed, stolen or transmitted without authorisation. It can also involve accidental loss, deletion or changing of data. It’s a scary situation to be in and the reality is that it can happen to anyone.
It isn’t always a faceless organisation committing the breach; your data is also at risk from internal sources, for example, employees using data maliciously, copying it to take to a new company, or selling it on to a third party.
We’re not looking to instil fear but it’s important to put the issue into perspective and highlight that this happens to businesses of all sizes.
Should you be unlucky enough for it to happen to your business, these are the measures that may need to be taken;
- Notifying the Information Commissioner’s Office (ICO)
- Consider whether to notify your customers
- Record details in your own breach log
You can find out the steps that go into notifying the ICO by clicking here, but for the purpose of this blog we want to focus and expand on the second point regarding your customers.
There’s certainly a trend at the moment for owning your mistakes, along with making bold steps with regards to your databases. KFC and Facebook turned to print advertising to apologise for supply chain issues and the Cambridge Analytica scandal respectively. Last year, Wetherspoons deleted its entire database in preparation for GDPR.
It’s important to note that all three of these brands had access to a highly qualified team to provide advice and execute these activities. There is never a ‘one size fits all’ approach when dealing with tricky situations. Seek expert advice wherever possible.
We’re all about reputation, and how you handle something like a data breach can break it down in seconds.
Mark Gracey, founder of the Digital Compliance Hub, explains why it’s important to take data breaches seriously: “Under GDPR all organisations have a regulatory duty to consider data breaches. Not only will you need to consider whether they need to be reported to the regulator (the ICO in the UK), but you’ll also need to consider whether you have to tell your customers (so they can protect themselves from any misuse of the data that’s been leaked). But whilst the regulation requires you to consider whether a breach is reportable, it’s important that when a breach occurs, action is taken to address the issue, so as well as mitigating the risk to your data subjects you will need to make sure you protect your own business from future risks. And, if you’re thinking that no one will ever find out about a breach – just ask Uber.”
It is often accepted that the best leaders acknowledge when they are in the wrong, and this breeds respect. There will be a spark of anger or disappointment initially, but handle it correctly and forgiveness will come, and if you’re lucky, people might forget about it too!
In our opinion, the second action on the ICO’s checklist shouldn’t be optional, customers regardless of whether they are B2B or B2C have the right to know how their data has been used, whether intentional or not.
Consider putting a strategy in place to figure out what you’ll want to say, and what is the most appropriate way to communicate your message to your customers if the worst was to happen. This is a serious issue and it’s important to be clear in what you’re communicating and why.
Given how important these new regulations are, it may also be that breaches incur a little more press interest than they once did.
Crisis communications is part of our foundation. We’ve worked with big and small businesses alike over the 20 years we’ve been in business and handled all sorts of situations. The chances are you won’t have read about many of them because we’ve worked hard to keep them out of the limelight. If you have any questions as to the sort of communication plans you should be making in case of data breaches, then don’t hesitate to drop us a line, or call us on 01202 701828.
Image credit: blogtrepreneur.com/tech