A 5-Step GDPR Crisis Plan

coffee mug reading "keep calm and prepare for GDPR"

With the GDPR (General Data Protection Regulation) looming, it'll soon become clear which organizations have prepared for Europe's legal framework for the collection and processing of personal data and which companies are struggling to comply by the May 25 deadline.

The regulations stipulate that data breaches must be reported to European regulators—and to customers—within 72 hours, which "makes it essential for organizations to plan ahead for the inevitable data breaches that are happening with increasing frequency," says Gene Grabowski, partner at Washington, D.C.-based public relations and public affairs firm kglobal.

He adds that global companies with data breach crisis plans will want to update them expeditiously so they're able to coordinate with European counterparts and act within the compressed time frame. "Companies at risk should already be conducting tabletop crisis simulations with senior leaders, risk managers, lawyers and members of the communications team," he says.

At the bare minimum, Grabowski advises communicators to draft and test new data breach protocols, media statements, social media messages, Q&As and customer correspondence.

Andrew Ricci, principal at Riccon Strategic Communications, agrees that GDPR crisis planning is paramount for affected organizations. "There’s only a small extent to which organizations can blame anything that happens on the GDPR regulations. If customers lose faith that they can rely on a service or product, they’ll start looking elsewhere, and they won’t care whose fault it is," he says.

To help mitigate these negative business outcomes, Ricci says PR pros should start by drafting a matrix that measures anticipated threats on their likelihood and impact. For high likelihood and high-impact threats, Ricci agrees with Grabowski that communicators must have a list of media holding statements, press lists and other response materials at the ready.

Ricci adds that that for the most rapid response, roles and responsibilities need to be clearly delineated in advance "so that everyone has their marching orders and can quickly spring into action."

For PR pros who need to swiftly communicate all of the above to their senior leaders, Andy Gilman, president and CEO of CommCore Consulting Group, summarizes GDPR crisis planning into five steps below:

1. Develop a crisis plan—cyber and information protection is one of the risks that should be on the list.
2. Have IT specialists in-house or on call as part of the team in the event.
3. Develop preapproved templates that can be filled in quickly in the event of a breach.
4. Monitor traditional and social media and for any reports of the incident.
5. Repeat the above steps.