This post is a part of the IPR Digital Media Research Center.
The General Data Protection Regulation (GDPR) went into effect, May 25th, and not everyone is ready, and that includes Corporate PR professionals.
The GDPR was officially adopted by the European Union in 2016. The regulation gave companies two-years to get compliant, which originally seemed like plenty of time. Unfortunately, a survey of more than 1,000 companies conducted by the Ponemon Institute in April, found that more than half of the companies said they won’t be compliant by the deadline. The study found that financial services companies were the furthest along while the retail industry was found to have companies the most delayed in compliance. While GDPR applies to the EU and EU residents, US companies that do business in Europe or with EU residents are required to be GDPR compliant.
GDPR is a set of rules pertaining to data breach notification requirements and transparency for users about what data is being collected and why. Essentially, GDPR provides EU citizens the right to see what information companies have about them, and to have that information deleted if they would like. Consent to collect and use data must be more active in theory putting an end to simple “I agree with terms and conditions” tick boxes. Companies must also tell all affected users about any data breach, and report it to the overseeing authority within 72 hours.
This essentially will end the approach of collect all the data you can and wait to figure out what to do with it later. In addition, within the GDPR guidelines are mandates that have received little attention.
The BBC reported on May 25 that as regulations were poised to go into effect, the Chicago Tribune and LA Times had posted messages saying they were currently unavailable in most European countries; clearly not a posting shareholders of any internet company want to see. To get back up and available in the UK, media outlets need to get express consent to collect personal information.
PR professionals need to be aware that under the GDPR’s guidelines, when a data breach occurs, their responsibilities may go beyond notification of effected customers. The regulations require companies to use “transparent communications” with “direct messaging (e.g. email, SMS, direct message), prominent website banners or notification, postal communications and prominent advertisements in print media. A notification solely confined within a press release or corporate blog would not be an effective means of communicating a breach.” Now EU state data regulators will have a voice in corporations’ communications plans to “maximize the chance of properly communicating information to all affected individuals.”
To date, companies don’t approached a breach with such a high visibility response. Instead, customer notifications are normally sent by email or post. While the communications EU regulators may require will vary from case to case, the intent is clear. The EU wants corporations to communicate more transparently when something goes wrong. That will be a challenge.
As we saw in Facebook’s reaction to the Cambridge Analytica fiasco, oftentimes a company’s first instinct in a breach is to play the victim. As Mark Zuckerberg told reporters on April 4, Facebook did not know that “[Professor Aleksandra] Kogan broke the policies and that he broke peoples’ expectations, but also that people chose to share that data with him.” His attitude matches PR counselors’ crisis communications best practices; their well-defined approach to appropriate communications in the “crisis” of a data breach typically does not include full transparency as a key concept.
Unlike disciplines such as medicine or engineering, corporation communications best practices are not supported by rigorous scientific principles. PR leaders counsel and actions are typically anecdotal, relying heavily on what worked in the past.
According to Coombs, all crises in three clusters: victim, preventable and accidental. According to his research of how organizations respond, data breaches fall in the accidental category. When “a technology or equipment failure causes an industrial accident” according to Coombs, the corporation “has minimal responsibility for the event.” The recommended response is “a full apology” but Coombs cautions an apology “provides no greater reputational benefit than an excuse.”
Under GDPR, there is little room for excuses. Carefully worded statements on a website will now be insufficient. Instead, companies must do more to communicate the details of a breach and engage in “transparent communications.” Companies must provide details to consumers of what happened, how it happened, when it was discovered, and steps to be taken to prevent a future breach. All items company executives have typically been reluctant to provide in the past.
Plus, these transparent messages must be disseminated widely. Newspaper advertisements (arcane to tech companies) and website banners, will reach more consumers than just those effected by the breach. Therefore, it’s highly likely that corporate PR teams will instinctively resist; making bad news more widely known than necessary is fundamentally bad PR.
With GDPR, resistance is futile; it is no longer an option to contain a data breach story once it breaks. Corporate leaders must endorse GDPR and prepare to reveal more and say more. If they do not, the results will be disastrous, as they disappoint not only regulators but their customers.