Longer Reads

How to limit reputational damage after a data breach

1 minute read

Published 29 August 2019

Share

Key information

The General Data Protection Regulation (GDPR) has been with us for over a year. It was greeted with a tremendous fuss, with the threat of fines running into the millions.

Organisations ran around like headless chickens while their lawyers drafted privacy notices and policies, and proffered advice on what to do about breaches.

The Information Commissioner’s Office (ICO) has shown its teeth by imposing a record £180m fine on British Airways, followed by a £100m fine on Marriott last month. Both fines were imposed after hackers stole huge amounts of personal data.

But while the legal risks are largely understood, it is only now that organisations are waking up to the reputational risks of a data breach.

So if your business finds itself subject to a data breach, what action should you take?

First, if a breach presents a risk to individuals’ rights and freedoms, the ICO must be notified within 72 hours.

If the breach poses a high risk to those rights and freedoms, such as the loss of financial information, affected individuals will need to be notified without undue delay.

And here lies the first challenge: how will you notify these people?

Generally, this would be by email. But IT servers may not physically be able to cope with an email to half a million people or more in one go. Add to that the likelihood that not all customers will have an email address, meaning that traditional post may be the only answer for some.

Now the question is whether your database holds the correct or up-to-date information to enable this to happen? The ICO will take a dim view of any delay.

And while organisations are not required under GDPR to tell staff of any data breach, customer services and social media teams should be informed and briefed on how to manage the concerns of affected customers.

A tweet from a disgruntled customer can all too quickly travel the world, often gathering pace as it does.

With this in mind, your communications team and lawyers should work together from the outset to decide what communication might include.

While the chief executive might be the public face of the company, for organisations with a confrontational boss, a member of the comms team or specialist PR agency might be best.

The timing of customer notification is critical, particularly where there is the risk of fraud following the loss of financial or personal information.

Delaying notification risks reputational damage and could possibly lead to increased fines. But also consider that if you send too early, the full extent of the breach may not yet be understood. It can be a fine line, and again, your lawyers and communications team are best placed to advise.

When considering whether to dish out a fine and in what magnitude, the ICO will undoubtedly look at how the breach occurred and how it could have been prevented. But it will also look at the steps you took to remedy and mitigate the consequences of the breach.

Complying with GDPR is important, but businesses should also have a plan in place in case of a data breach – because reputational damage can hit just as hard as the legal implications.

This article was originally published in City A.M. on 29 August: https://www.cityam.com/how-to-limit-reputational-damage-after-a-data-breach/

Related latest updates
PREV NEXT

Related content

Arrow Back to Insights

Longer Reads

How to limit reputational damage after a data breach

Published 29 August 2019

Associated sectors / services

The General Data Protection Regulation (GDPR) has been with us for over a year. It was greeted with a tremendous fuss, with the threat of fines running into the millions.

Organisations ran around like headless chickens while their lawyers drafted privacy notices and policies, and proffered advice on what to do about breaches.

The Information Commissioner’s Office (ICO) has shown its teeth by imposing a record £180m fine on British Airways, followed by a £100m fine on Marriott last month. Both fines were imposed after hackers stole huge amounts of personal data.

But while the legal risks are largely understood, it is only now that organisations are waking up to the reputational risks of a data breach.

So if your business finds itself subject to a data breach, what action should you take?

First, if a breach presents a risk to individuals’ rights and freedoms, the ICO must be notified within 72 hours.

If the breach poses a high risk to those rights and freedoms, such as the loss of financial information, affected individuals will need to be notified without undue delay.

And here lies the first challenge: how will you notify these people?

Generally, this would be by email. But IT servers may not physically be able to cope with an email to half a million people or more in one go. Add to that the likelihood that not all customers will have an email address, meaning that traditional post may be the only answer for some.

Now the question is whether your database holds the correct or up-to-date information to enable this to happen? The ICO will take a dim view of any delay.

And while organisations are not required under GDPR to tell staff of any data breach, customer services and social media teams should be informed and briefed on how to manage the concerns of affected customers.

A tweet from a disgruntled customer can all too quickly travel the world, often gathering pace as it does.

With this in mind, your communications team and lawyers should work together from the outset to decide what communication might include.

While the chief executive might be the public face of the company, for organisations with a confrontational boss, a member of the comms team or specialist PR agency might be best.

The timing of customer notification is critical, particularly where there is the risk of fraud following the loss of financial or personal information.

Delaying notification risks reputational damage and could possibly lead to increased fines. But also consider that if you send too early, the full extent of the breach may not yet be understood. It can be a fine line, and again, your lawyers and communications team are best placed to advise.

When considering whether to dish out a fine and in what magnitude, the ICO will undoubtedly look at how the breach occurred and how it could have been prevented. But it will also look at the steps you took to remedy and mitigate the consequences of the breach.

Complying with GDPR is important, but businesses should also have a plan in place in case of a data breach – because reputational damage can hit just as hard as the legal implications.

This article was originally published in City A.M. on 29 August: https://www.cityam.com/how-to-limit-reputational-damage-after-a-data-breach/

Associated sectors / services

Need some more information? Make an enquiry below.

    Subscribe

    Please add your details and your areas of interest below

    Specialist sectors:

    Legal services:

    Other information:

    Jurisdictions of interest to you (other than UK):



    Enjoy reading our articles? why not subscribe to notifications so you’ll never miss one?

    Subscribe to our articles

    Message us on WhatsApp (calling not available)

    Please note that Collyer Bristow provides this service during office hours for general information and enquiries only and that no legal or other professional advice will be provided over the WhatsApp platform. Please also note that if you choose to use this platform your personal data is likely to be processed outside the UK and EEA, including in the US. Appropriate legal or other professional opinion should be taken before taking or omitting to take any action in respect of any specific problem. Collyer Bristow LLP accepts no liability for any loss or damage which may arise from reliance on information provided. All information will be deleted immediately upon completion of a conversation.

    I accept Close

    Close
    Scroll up
    ExpandNeed some help?Toggle

    < Back to menu

    I have an issue and need your help

    Scroll to see our A-Z list of expertise

    Get in touch

    Get in touch using our form below.



      Business Close
      Private Wealth Close
      Hot Topics Close