February 12, 2018
Gone are the days when many once futuristic-sounding crisis scenarios could be dismissed as mere science fiction.
Imagine, you are an executive of a major corporation. Your home – kitted out with the latest smart technology – has been compromised. After gaining control of your smartphone through your IoT-connected fridge, the cyber criminals access your privileged and confidential corporate information. Hours later, your company drones start falling out of the sky. Your electric car starts acting possessed. Your customer data – including individual credit card details – is being leaked online. Through your company Twitter account!
You wake up. It was all just a bad dream. In fact, it’s the incoming General Data Protection Regulation (GDPR) that keeps you awake at night… You don’t believe the non-compliance is going to happen to you. Yet, the recent reports of stolen cryptocurrency and WannaCry attacks keep you on your toes.
If your customer data is stolen, lost or leaked, you’ll have to notify both the authorities and the potentially affected customers within 72 hours of a data breach. The minute you do, you are likely to get hundreds of media inquiries and thousands of heated customer tweets.
If you don’t, you could face a hefty fine of up to 4% of your business’ global annual turnover. And still plenty of bad rep.
If you think 72 hours is plenty, think again. For all is scale and computing power Yahoo! was only able to report its two major data breaches of user account data to hackers during the second half of 2016. The first announced breach, reported in September 2016, had occurred sometime in late 2014, and affected over 500 million Yahoo! user accounts. A separate data breach, occurring earlier around August 2013, was reported in December 2016. Initially believed to have affected over 1 billion user accounts, Yahoo! later affirmed in October 2017 that all 3 billion of its user accounts were impacted, immediately getting a $350 million financial ‘penalty’ from Verizon, who was acquiring the company during the time.
However, GDPR should not be seen as a threat. It’s an opportunity to strengthen your organisational resistance to costly and embarrassing data leaks and cyber-attacks. It’s a reason to improve your business processes and data security protocols. An opportunity to review your corporate ability to respond to reputational issues. (Our crisis health check tool can help you benchmark your position against best practice.)
Remember – having to report yourself to the authorities and customers in the space of 72 hours doesn’t leave you much time to think. You have to ensure you are ready and trained to deal with it. That you have your communications protocols and responses ready. That you are constantly training your communications muscle, ready to face a media sprint or a marathon.
Once you have your business processes and issues communications protocols under control, you’ll find that GDPR can help you strengthen your customer loyalty and protect your revenue streams. After all, GDPR should be seen as an opportunity rather than a threat.
If you need support in navigating the GDPR hinterland, talk to us. We’re here to help.