The European Union General Data Protection Regulation (GDPR) take force on 25 May, less than a month away. In most organisations, multiple departments from legal through to IT, marketing and communications will need to take action to ensure compliance with these new data privacy rules which, in simple terms, apply to any organisation which processes the personal data of EU citizens.
In the last few weeks we have seen a real shift in our client work in preparation of this change, moving from helping clients to evaluate the broad contours of their messaging on privacy, as part of general preparation within the communications department, through to communications team driving final cross-organisational preparations.
It seems that the item highest on our clients’ agendas is the notification requirement of GDPR. Under GDPR, companies must notify supervisors and data subjects within 72 hours of first becoming aware of a data breach. Potential consequences for non-compliance with these notification requirements include hefty financial fines of up to €10 million (or up to 2 percent of the total worldwide turnover), but also failure to comply with this requirement would open another vulnerability for the company and add a complex dimension to reputation risk.
With this in mind, we’ve been helping clients to make plans and test them through a simulation. Whether a more limited desktop exercise in order to gain familiarity with an existing crisis playbook, or a fuller all-day simulation with core incident response team members, leaders and subject matter experts from across the company, these provide a useful way of ensuring everything is in place before May 25.
Edelman has experts available to co-create GDPR-compliant data breach response plans and prepare and run crisis simulations before the launch of GDPR.
If you would like to take advantage of this, please get in touch.
Steve Heywood
Deputy General Manager and GDPR Lead
Edelman Amsterdam