The one-year anniversary of the introduction of the GDPR directive is fast approaching. More than €55m in fines have been issued (with Google accounting for almost all of that) and 200,000 plus cases reported. But where does GDPR leave us from a crisis management perspective?
For a start if cyber-crime wasn’t on the radar of most senior management before GDPR’s introduction, it is now. With a real threat of financial penalties, as well as public exposure, no one wants to be the organisation that didn’t see a breach or attack coming and prepare accordingly. And that, for me, is where the crux of successful cyber crisis management lies.
The public have become somewhat blasé to reports of data being compromised/lost but have little tolerance for sub-standard handling of the situation (Equifax anyone?).
Organisations are being judged, not on the incident itself, but on how they choose to respond:
· Is the organisation honest and transparent – has it detailed who has been impacted and how? While it can be difficult to know this in the early stages of a breach, regular and ongoing communication with customers is vital. No one wants to be kept in the dark
· Is the organisation demonstrating control/ownership of the situation? Obtaining facts in any crisis is difficult – perhaps even more so in a cyber incident where, for many, how and what happened never becomes clear. However, lack of facts shouldn’t stop an organisation providing positive and actionable advice to those impacted (such as Marriot’s package of support after its breach) and thereby demonstrating a desire to get the situation under control
· Did the organisation prepare appropriately? It’s naive and reckless of an organisation to assume it is bulletproof when it comes to cyber-attacks. They need to plan for the worst and be ready to put these plans into action
· Does it demonstrate empathy? While showing compassion feels an easier ‘fit’, when there is a tangible human cost, it is nevertheless still important in these types of situation. We are a cyber-reliant society. Much of our lives and livelihoods are tied up in the cloud, in pixels and servers. Failing to recognise this shows an organisation that is out of touch with its customers
The cyber threat is unlikely to go away any time soon, but organisations can mitigate this threat by planning a response, should the worst happen, that is values rather than operationally driven.