GDPR now compels organisations to self-report both to the ICO and to those individuals whose personal data has been compromised on your watch. It’s a risk assessment, a judgement call on whether your breach event is ‘likely to result in a high risk to the rights and freedoms of natural persons’ in which case, time to ‘fess up.
But before the ink is dry on your referral to the ICO, the whole world, it seems, is talking about you for the wrong reasons and commentators are busy at work holding you up as the poster boy of data breaches.
Since the implementation of GDPR on the 25th May we have seen a dizzy array of potential data breach offenders come to the publics’ attention… but remember, no one is guilty yet. Seemingly the punishment for even being in the dock may be enough. Customers and clients are quick to loosen ties, well established or otherwise. Monzos jumped out of bed with Typeform in rapid fashion ‘we have ended our contract with Typeform, at least until they can prove they've improved their security, and have deleted all customer data from their servers’. It’s all about self-preservation and that’s fair enough. You don’t want to be tainted with the whiff of data breach about you, particularly when it may have affected your own client base. With the new-found liability for processors under GDPR there’s even more reason perhaps to distance yourself from the suspected perpetrator as the ICO get into the nitty gritty of who is really going to carry the can on this one. Now where did we put that data sharing agreement??
And so, the reality is hitting home. We don’t yet know how the regulators across Europe will dish out the fines…. but perhaps the real damage comes from our obligations under GDPR to report the breach within 72 hours, before you have a chance to get to the bottom of it all. Before the ICO have time to adjudicate your customers may have gone elsewhere. When the decision is finally made, even with a clean bill of health, will they call come back, cap in hand?? The Liberal Democrats also affected by the Typeform fallout state ‘we will be re-evaluating our relationship with them in light of this incident. We take the security of our data seriously and if we are not satisfied that sufficient steps have been taken to secure your data, we will terminate our relationship with Typeform’.
So, the old adage ‘there’s no such thing as bad publicity’ is being well and truly tested. Dixons Carphone, Ticketmaster, Typeform and the like need to have the spin doctors of all spin doctors to tidy up the mess. Organisations are nervous about the risk and implications of association with others who have had a data breach and won’t necessarily wait around for the outcome of any investigation. Reassurances from on high within organisations may well quell fears…. the commercial realities, the costs of jumping ship, the operational task of bringing custom elsewhere may compel your customer to stay with you rather than going to your nearest and sometimes ’dearest’ competitor and, after all, who can you trust…it could be them next!
Managing your data breach, getting the right advice, having the disaster recovery plan in place, data-sharing agreements with a third party…recent events show just how critical it is to have expertise on hand to guide you through the storm. Whether its planning and policy or data breach management, Briefed consultants can assist you with the way forward. Contact Briefed at..Hello@briefed.pro or at 028 90446780