What does GDPR say businesses should do when they suffer a breach?
Under GDPR, you must inform the Information Commissioner's Office (ICO) within 72 hours of becoming aware of a breach. Suffering a breach alone doesn’t mean that you’ve done something wrong and will automatically be hit with a fine, however the regulator will take into account the steps you’ve taken to prevent an attack and how well you responded to it. You should therefore have as much information on what has happened and the measures you have in place when you report the incident to the ICO.
The regulations also state you must inform those individuals affected, if the breach is likely to impact their rights and freedoms. Therefore, if the loss of personal or sensitive data puts customers at risk of identity theft, fraud, financial loss or damage to reputation, they need to be informed. If payment details are involved then businesses may also need to inform the PCI Security Standards Council, which regulates the security of payment information.
What are the steps business leaders should take to regain customer confidence after a breach?
As well as avoiding a fine under GDPR, an effective response plan could also salvage your business reputation and ensure you retain the confidence of customers following a breach.
Speed is of the essence and your response plan should kick in from the moment you become aware of an issue. First and foremost, you need to know what has happened in order to contain the breach and minimise the damage. If you don’t have the right expertise in house, bring in IT forensics experts to investigate and advise you.
There are numerous legal issues to consider including informing the Information Commissioner’s Office (ICO) of the breach, defending your business against any claims of malpractice, as well as managing your approach to customers and the media. You should seek therefore seek the advice of a lawyer immediately to help manage this, as well as your response to customers and the media.
How you handle media interest is critical. Again, time is of the essence, so you’ll need to have statements ready to go asap about what you know and the actions you are taking. If you don’t have your own PR expertise internally, call on external support to provide guidance. Proactivity about containing the breach and minimising damage will go a long way to regaining trust.
Customers affected also need to be informed asap so they can minimise the damage to their own accounts and data. Businesses need to be ready with a way to handle this communication efficiently across numerous channels, including email, telephone, online channels and social media. Larger breaches may involve setting up a special call centre to handle customer concerns.
Handle everything right and customers may forgive you the first time you’re hit by a data breach. However, get hit again and they will start asking questions. Businesses must therefore take valuable lessons from a first attack and put policies and procedures in place to guard against the same thing happening again.
Businesses should also consider taking out a watertight and specialist cyber security policy as a final line of defence in the event of a breach. As well as covering the cost of system downtime, potential fines, legal and compensation costs, some cyber insurance policies will also offer an immediate response plan and external expertise as part of your cover.