How to avoid a GDPR Crisis

by Romana Shah

The biggest shake up in data regulation comes into force on Friday and it'll soon become clear which companies are prepared and which companies are struggling to comply by the deadline.

Leaving no industry untouched, this topic has been heavily debated amongst the press, at conferences and by companies all trying to get to grips with what they need to do in order to operate in a post GDPR world.

GDPR is constructed of a list of requirements around transparent processing & storage, data subject rights, personal data breaches, data transfer etc. but it does not have a prescriptive approach on how a company will evidence that it is complying with the legislation.

This has opened up companies to different interpretations on what complying looks like. Whatever a business decide PR professional play an important role in ensuring the relevant lines of communication stay open, specifically in the case of incompliance.

Develop a crisis plan

The regulation instructs that data breaches must be reported to European regulators and their customers within 72 hours. For PRs, setting out a crisis plan on the steps to ensure smooth communication in the event of a data breach is key to avoid a GDPR crisis.

As part of this process, developing preapproved comments that can be filled in quickly in the event of a breach can ensure your client keeps in control of the situation and mitigates any reputational consequences.
Constant monitoring of traditional and social media for any reports of the incident is key to also maintain control of the situation and the message you want to send out to both your customers, partners, suppliers.

Getting everyone on the same page

When there is significant processing of personal data within a business, they should assign a Data Protection Officer (DPO). The DPO will have the responsibility of advising the company about compliance with EU GDPR requirements. However, assuming they hold all responsibility over the data should not be the strategy a business adopts. No matter how big the company is, it is unrealistic for any DPO to be across everything that goes on in a business.

Any sort of change can fall flat if you do not get every member of the team involved in understanding the importance of what good governance and compliance looks like.

In order to avoid a GDPR crisis, businesses need to look beyond the deadline. It is not like an exam where you submit your work and wait for a pass or fail. There needs to be constant assurance and effort to ensure data management is maintained.