Back to Insights- Data Protection
Longer Reads
How to limit reputational damage after a data breach
1 minute read
Published 29 August 2019
Key information
- Specialisms
- Business
- Services
- Data Protection
The General Data Protection Regulation (GDPR) has been with us for over a year. It was greeted with a tremendous fuss, with the threat of fines running into the millions.
Organisations ran around like headless chickens while their lawyers drafted privacy notices and policies, and proffered advice on what to do about breaches.
The Information Commissioner’s Office (ICO) has shown its teeth by imposing a record £180m fine on British Airways, followed by a £100m fine on Marriott last month. Both fines were imposed after hackers stole huge amounts of personal data.
But while the legal risks are largely understood, it is only now that organisations are waking up to the reputational risks of a data breach.
So if your business finds itself subject to a data breach, what action should you take?
First, if a breach presents a risk to individuals’ rights and freedoms, the ICO must be notified within 72 hours.
If the breach poses a high risk to those rights and freedoms, such as the loss of financial information, affected individuals will need to be notified without undue delay.
And here lies the first challenge: how will you notify these people?
Generally, this would be by email. But IT servers may not physically be able to cope with an email to half a million people or more in one go. Add to that the likelihood that not all customers will have an email address, meaning that traditional post may be the only answer for some.
Now the question is whether your database holds the correct or up-to-date information to enable this to happen? The ICO will take a dim view of any delay.
And while organisations are not required under GDPR to tell staff of any data breach, customer services and social media teams should be informed and briefed on how to manage the concerns of affected customers.
A tweet from a disgruntled customer can all too quickly travel the world, often gathering pace as it does.
With this in mind, your communications team and lawyers should work together from the outset to decide what communication might include.
While the chief executive might be the public face of the company, for organisations with a confrontational boss, a member of the comms team or specialist PR agency might be best.
The timing of customer notification is critical, particularly where there is the risk of fraud following the loss of financial or personal information.
Delaying notification risks reputational damage and could possibly lead to increased fines. But also consider that if you send too early, the full extent of the breach may not yet be understood. It can be a fine line, and again, your lawyers and communications team are best placed to advise.
When considering whether to dish out a fine and in what magnitude, the ICO will undoubtedly look at how the breach occurred and how it could have been prevented. But it will also look at the steps you took to remedy and mitigate the consequences of the breach.
Complying with GDPR is important, but businesses should also have a plan in place in case of a data breach – because reputational damage can hit just as hard as the legal implications.
This article was originally published in City A.M. on 29 August: https://www.cityam.com/how-to-limit-reputational-damage-after-a-data-breach/
Related latest updates
PREV
NEXT
Shorter Reads
Read more
Fired over Mouse Jiggling: the employment law risks of TikTok ‘work hacks’
Longer Reads
Read more
UK Information Commissioner introduces new approach to enforcement
Longer Reads
Read more
Two key decisions highlight issues when handling children’s dataLonger Reads
Read more
Demystifying the UK government’s proposed reforms to data protection lawsLonger Reads
Read more
Recent trends in data breach litigation
Shorter Reads
Read more
Royal Mail cybersecurity incident a reminder of the international reach of the UK GDPRShorter Reads
Read more
Monitoring staff – employers should not expect to see staff chained to their desks all dayShorter Reads
Read more
Scrapping GDPR regulations likely to cause additional red tape for UK businesses
Longer Reads
Read more
Don’t let your cookie compliance crumbleShorter Reads
Read more
Data privacy update: International data transfersShorter Reads
Read more
Data Subject Access Requests: Six key issues for HR TeamsShorter Reads
Read more
Rights without responsibilities?Shorter Reads
Read more
Data subject access requests are ‘weaponised’ as disgruntled customers seek to ‘tie businesses in knots’Shorter Reads
Read more
AI regulation in financial services and how the UK diverges from EU rules
Longer Reads
Read more
Domestic CCTV: are you compliant?Longer Reads
Read more
GDPR: New Guidelines on international data transfers
Longer Reads
Read more
Dear Santa…A Cautionary Data Privacy Tale
Podcasts
Listen now
Article 27 of the GDPR – Do you need to appoint a UK/EU Data Representative?
Shorter Reads
Read more
ESG and Data ProtectionPodcasts
Listen now
GDPR and Artificial Intelligence in the workplace
Longer Reads
Read more
What are the limits on video surveillance in the workplace?Longer Reads
Read more
Complying with data laws when engaging with freelancersShorter Reads
Read more
UK data protection standards to be deemed adequate by the EUShorter Reads
Read more
Ikea fined €1 million for illegal staff surveillance
Shorter Reads
Read more
Is your personal data safe on Zoom?Shorter Reads
Read more
Firmware cyber-attacks: the next big thing?Shorter Reads
Read more
Website cookies crumble as they fail to meet legislationShorter Reads
Read more
Post-Brexit breathing space for EU-UK transfers of personal dataShorter Reads
Read more
Now is the time to review your data protection policiesLonger Reads
Read more
The end of the Brexit transition period: what this means for your business’s data protection...
Videos
Watch now
Control the process: mastering your data processing agreements
Shorter Reads
Read more
No rest for the European Data Protection Board
Shorter Reads
Read more
Test-and-trace data sharing: a healthy lesson for private-sector businesses on the importance of transparency
Shorter Reads
Read more
Good(ish) news for BA
Shorter Reads
Read more
New EDPB guidelines: copying and pasting GDPR provisions into your commercial agreements isn’t enough
Longer Reads
Read more
Privacy Shield invalidated: what this means for your data flows to the US
Shorter Reads
Read more
No Data Protection Impact Assessment (DPIA) undertaken for Test and Trace programme – but what is a...Shorter Reads
Read more
Preparing for 4 July: Pubs and restaurants required to collect customers’ detailsShorter Reads
Read more
Protecting Personal Data as Lockdown unlocksShorter Reads
Read more
Babylon Health admits GP app suffered a data breach
Videos
Watch now
M&A: Cyber security and data privacy risks
Shorter Reads
Read more
easyJet’s woes worsenShorter Reads
Read more
Cathay Pacific, British Airways, easyJet – what’s the connection?
Shorter Reads
Read more
Data protection in the time of coronavirusLonger Reads
Read more
WM Morrisons Supermarkets plc v Various Claimants – Supreme Court hands down decision
Shorter Reads
Read more
Zoom under increased scrutiny as popularity rises
Longer Reads
Read more
Privacy and real-time bidding: An updated guide for adtech vendors and publishersShorter Reads
Read more
British Airways facing record GDPR fine
Longer Reads
Read more
AI: It’s time to ExplAInShorter Reads
Read more
It’s time to AI-xplainNews
Read more
GDPR anniversary to be marked with big finesShorter Reads
Read more
Why GDPR isn’t last year’s newsShorter Reads
Read more
Facebook and Cambridge Analytica – the GDPR implicationsShorter Reads
Read more
GDPR – Smaller charities at risk
Related content
Longer Reads
How to limit reputational damage after a data breach
Published 29 August 2019
Associated sectors / services
The General Data Protection Regulation (GDPR) has been with us for over a year. It was greeted with a tremendous fuss, with the threat of fines running into the millions.
Organisations ran around like headless chickens while their lawyers drafted privacy notices and policies, and proffered advice on what to do about breaches.
The Information Commissioner’s Office (ICO) has shown its teeth by imposing a record £180m fine on British Airways, followed by a £100m fine on Marriott last month. Both fines were imposed after hackers stole huge amounts of personal data.
But while the legal risks are largely understood, it is only now that organisations are waking up to the reputational risks of a data breach.
So if your business finds itself subject to a data breach, what action should you take?
First, if a breach presents a risk to individuals’ rights and freedoms, the ICO must be notified within 72 hours.
If the breach poses a high risk to those rights and freedoms, such as the loss of financial information, affected individuals will need to be notified without undue delay.
And here lies the first challenge: how will you notify these people?
Generally, this would be by email. But IT servers may not physically be able to cope with an email to half a million people or more in one go. Add to that the likelihood that not all customers will have an email address, meaning that traditional post may be the only answer for some.
Now the question is whether your database holds the correct or up-to-date information to enable this to happen? The ICO will take a dim view of any delay.
And while organisations are not required under GDPR to tell staff of any data breach, customer services and social media teams should be informed and briefed on how to manage the concerns of affected customers.
A tweet from a disgruntled customer can all too quickly travel the world, often gathering pace as it does.
With this in mind, your communications team and lawyers should work together from the outset to decide what communication might include.
While the chief executive might be the public face of the company, for organisations with a confrontational boss, a member of the comms team or specialist PR agency might be best.
The timing of customer notification is critical, particularly where there is the risk of fraud following the loss of financial or personal information.
Delaying notification risks reputational damage and could possibly lead to increased fines. But also consider that if you send too early, the full extent of the breach may not yet be understood. It can be a fine line, and again, your lawyers and communications team are best placed to advise.
When considering whether to dish out a fine and in what magnitude, the ICO will undoubtedly look at how the breach occurred and how it could have been prevented. But it will also look at the steps you took to remedy and mitigate the consequences of the breach.
Complying with GDPR is important, but businesses should also have a plan in place in case of a data breach – because reputational damage can hit just as hard as the legal implications.
This article was originally published in City A.M. on 29 August: https://www.cityam.com/how-to-limit-reputational-damage-after-a-data-breach/
Associated sectors / services
- Data Protection
Need some more information? Make an enquiry below.
Enjoy reading our articles? why not subscribe to notifications so you’ll never miss one?
Subscribe to our articlesMessage us on WhatsApp (calling not available)
Please note that Collyer Bristow provides this service during office hours for general information and enquiries only and that no legal or other professional advice will be provided over the WhatsApp platform. Please also note that if you choose to use this platform your personal data is likely to be processed outside the UK and EEA, including in the US. Appropriate legal or other professional opinion should be taken before taking or omitting to take any action in respect of any specific problem. Collyer Bristow LLP accepts no liability for any loss or damage which may arise from reliance on information provided. All information will be deleted immediately upon completion of a conversation.
Close
