Dealing with data breaches should be business as usual
In the run up to GDPR, we started to see companies treating customers differently. We began to see emails warning us about data breaches, with specific news about what the breach was, what was being done about it and what, if anything, we should do ourselves.
And with Dixons Carphone now admitting that its breach last year actually involved 10 million customers, many times more than was first believed, the subject remains very much in the public eye.
This is only going to accelerate – and if you have set things up properly, managing and communicating data breaches will become business as usual. However, for most companies, this is an entirely new area of communications. They don’t always know what to do about it or how to handle it effectively.
Transparency is a cultural issue
Companies are not always used to being transparent in business today. Sharing any information above what is absolutely necessary is seen as breaking commercial confidentiality and might even make them feel vulnerable and weak.
But in light of GDPR’s requirements, and the growth of privacy by design and individuals’ data rights, this attitude is quickly becoming outdated.
The successful companies of tomorrow will not just communicate with transparency, but embed it into their corporate DNA. They will understand that good news has more credibility when it is in a more realistic context, so communicating the ‘bad news’ of data breaches quickly and effectively actually has a long-term value.
Understanding the processes
Communicating data breaches confidently and with real transparency requires a number of processes to be in place.
You must notify any personal data breach to the relevant supervisory authority (in the UK, the ICO) within 72 hours of becoming aware of it – and also communicate the personal data breach to the data subject without undue delay.
The notification to the authority needs to describe the nature of the personal data breach including, where possible, the categories and approximate number of data subjects and personal data records concerned.
It also has to communicate the name and contact details of the data protection officer or other contact point where more information can be obtained, describe the likely consequences of the breach and describe the measures taken or proposed to be taken by the business to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
All this means you need effective processes for becoming aware of breaches quickly, creating notifications and issuing them promptly.
Breaches can actually help generate trust
As communicating data breaches becomes the new normal, they will actually become an opportunity. Companies who pass on that information quickly, efficiently and thoroughly, through a transparent approach to business, will be trusted more readily by customers.
To find out more about trust-hub’s approach and platforms, which can help you develop a structured and transparent approach to handling data breaches, please contact us at +44 (0)20 3582 5055 or get a demo here.