Are you at risk of a huge GDPR fine?

Recently, Uber found itself caught up in another global media storm. It failed to disclose a serious data breach suffered over a year ago. And in doing so it demonstrated the thinking behind the swingeing penalties in the new General Data Protection Regulation (GDPR) which comes into force in May 2018.

The cyber attack in question exposed the data of around 57 million drivers and passengers. Uber admitted paying the hackers $100,000 to delete the data and, most seriously, to keep the breach quiet. This allowed Uber to say nothing, to customers, to drivers or to the world at large.

In a statement, CEO Dara Khosrowshahi acknowledged “none of this should have happened” and committed to “changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers."

But commitments to doing things differently won’t be enough from next May. Under GDPR, companies will have just 72 hours to notify the regulator and every single customer that their personal information has been compromised and which bits. This is no mean feat when that kind of detail often doesn’t become clear to a company until weeks after the breach is first detected.

But fail to abide and these rules will bring fines of up to €20m or 4% of global turnover, whichever is highest. In Uber’s case, the scale and secrecy of the breach would give the regulator good reason to err towards the top end of the scale, issuing likely fines of an eye-watering €220m.

Put simply, the stakes around data breaches are about to get significantly higher. Yet the government’s Cyber Governance Health Check shows just 6% of FTSE 350 boards are fully prepared for the new laws.

It’s clear that cyber risk is no longer the remit of the IT bods. It is a reputational and now financial issue, for which entire executive teams are responsible.

But if, at the next board meeting, someone asks “Are we safe?”, they are asking the wrong question and are likely to get the wrong answer. Instead questions should focus on filling the following business-critical gaps:

1. The knowledge gaps: Do we know what customer data is collected, where it is stored, how it is used and for how long? Do we know what level of security is required to access customer information? Do we have the appropriate consent to use the information collected?
2. The relationship gaps: Navigating a post GDPR world successfully requires collaboration, understanding and accountability across Leadership, Business units, Communications, Tech, Legal and Customer teams. How often do these people get together? Do they know each other? Are they talking the same language?
3. The procedural gaps: How speedy and informed is our decision making? If we get hacked, how will we decide what to say and to who, how quickly and when? Who will talk to the media? Who will talk on background? How quickly can we publish to our website? Who has the passwords to the social channels in the middle of the night? What is our crisis monitoring?
4. The messaging gaps: In the event of a breach, how will we reassure customers, regulators and the media that we have taken our custodianship of their data seriously? Can we demonstrate an ongoing, internal awareness-raising and a culture of risk avoidance?

Once GDPR comes into effect, every executive at the boardroom table is accountable in the event of breach. If you can’t confidently get the answers to all these questions, it’s time to rethink your GDPR strategy.

Article written by Andy Rivett-Carnac, partner at communications firm Headland Consultancy