Europe’s GDPR Regulation Could Mean a Crisis Comms Waking Nightmare

If a butterfly flaps its wings it can cause a typhoon on the other side of the globe. So says chaos theory’s famous butterfly effect concept, designed to illustrate that one small change can change everything. Thanks to ever increasing globalization, we’re susceptible here in the U.S. to the flapping wings of legislators all over the world, nowhere more than our largest trading partner, the European Union.

Given some of the gargantuan changes to data collection and usage mandated by the EU’s now agreed General Data Protection Regulation (GDPR), any company marketing to European consumers has had to sit up and take note. While some attention has been paid to the impact on data management and direct marketing pros, the regulation has some provisions that will keep Directors of Communications and PR departments up at night (literally).

Most tellingly, companies will need to inform regulators in Europe within 72 hours of any data breach that will “result in risk to individuals’ rights and freedoms.” If you think about commonly stolen info during hacks (credit card details, usernames and passwords, personal identifiers), you can see that many data breaches will fall under the 72 hour stipulation. And it’s not just a compliance issue, where it involves high risk to your customers; they too have to be informed within this timeframe.

Given that hackers are waltzing past many company’s cyber defenses with astounding nonchalance, losing customer data is an eventuality that PR teams need to prepare for and even expect.  Informing customers of a data breach means informing the media, amplifying the damage. Having a crisis comms plan in place for a data breach is good practice anyway, and many companies have this on file. However, having a plan that is executable within 72 hours and empowers the U.S. based team members at HQ to work closely with teams and advisers in Europe is a very different kettle of fish.

The accelerated timeline will squeeze the process of collaboration significantly. Drafting press releases, media Q&As, holding lines and messaging documents needs to be done at breakneck speed, an alarming prospect given the damage that can be caused, both to company and career, in getting it wrong.

Careful scenario planning in advance is key to tackling transatlantic crises within this tight window. Drafting materials to meet these scenarios can reduce the difficulties of doing so live, and not just from a time crunch point of view. When the sh*t hits the fan and the adrenaline is pumping, it can be more difficult to pick holes in your messaging and consider how the tone of communications will be received.

It’s not just about the wording, however. A timeline that incorporates each process and a clear delineation of responsibility for all decision makers is also highly necessary – time to get busy with Powerpoint’s flow chart functionality!

We work in such a reactive profession at times, and a frenetically busy one at that. So advanced planning isn’t exactly easy to squeeze onto the to-do-list. In the event of a data breach affecting European customers, however, corporate comms teams should expect a very long three days if they aren’t well prepared. Advanced crisis planning can significantly improve the response and reduce the associated stress. With a little under two years to go until the legislation comes into force, it’s worth beginning that effort now.

Dominic Weeks
Vice President


Keep in Touch

Want fresh perspective on communications trends & strategy? Sign up for the SHIFT/ahead newsletter.

Ready to shift ahead?

Let's talk