A customer-focused approach to GDPR
Cyber incidents are now an expected part of life in most of the business world, so planning for them has become an increasingly important aspect of corporate security. Yet when faced with such events, many organisations instinctively focus their resources
The new General Data Protection Regulation (GDPR) spells out in considerable detail how businesses with data about European consumers should prepare for and respond to cyber incidents, giving enterprises a fresh reason to be more customer-focused than ever. Those that fail to prioritise accordingly may risk magnifying any crisis exponentially.
Five key capabilities
GDPR mandates that companies put in place appropriate organisational measures to prepare for a breach, including a response plan through which incidents are reported to data protection authorities within 72 hours and affected EU residents are notified “without undue delay.” A customer-centric approach to these requirements can depend on five essential capabilities:
Speed. A 2017 study found that it takes 191 days on average for businesses to realise they have suffered a breach. From the moment they do, the clock starts ticking. Mobilizing an operation of the scale and capability required to provide an adequate customer response often becomes a highly visible, high-risk race against time if an organisation is unprepared.
Operational capacity. A breach is likely to result in a near vertical spike in demand on an organisation’s internal operations, so an early challenge can be maintaining enough resources to continue business-asusual operations while also setting up an effective breach response capability. Often, coping with the potential surge of inbound communications from concerned customers is an especially high-risk capacity issue. Long call-centre queues can very quickly frustrate customers and spark negative social media commentary and press coverage.
Infrastructure. Along with operational capacity, a quick and effective breach response can also depend on having the right infrastructure in place, including a high-volume communications system to quickly and securely direct customer calls and emails. Then there’s the logistical backup required in key support areas. These include mass printing and mailing, highcapacity incident-response website hosting, and an identity-protection solution that provides customers with comprehensive monitoring of credit and dark-web activity along with support and advice for identity protection and repair. All should be poised to go live at a moment’s notice, with supporting contracts already in place.
Expertise. Many organisations operate under the mistaken assumption that the customer-notification process is a straightforward, one-off activity that can be handled by existing customer support staff, who may or may not have any experience with such an event. In fact, many organisations need outside help. A data breach typically requires an extensive range of specialists to support a successful customer response, including customer com- munications experts, social media analysts, operational specialists, identity-protection advisors, and forensic investigators. It’s important for this army to be ready at short notice, fully integrated, and managed with military precision to help ensure the right support is delivered to the customer in the right way at the right time.
Ongoing support. All too often businesses focus on notification and the details of the initial event, when in fact the real risk for customers typically begins in the weeks following the breach, when the perpetrators are potentially using the stolen data not just to access customers’ breached accounts but also to defraud them through ongoing phishing, email, and telephone scams. Notifying customers about the breach is usually only the first step in a much longer journey; what’s most important is supporting and protecting them afterward.
Managing the aftermath
When the inevitable happens, the outcome is typically determined primarily by the speed and quality of the company’s response. A customer focus can be essential to both.
Some customers will simply want to know what has happened and why; others may believe they have been personally attacked. The range of concerns will likely be broad across an audience with widely varying levels of understanding of the digital world, so the ability to triage their needs quickly and deliver the right level of identity-protection advice and support can be crucial. A full identity-protection strategy, encompassing everything from credit monitoring and fraud alerts to specialist identity-repair support services, can do much to alleviate customers’ concerns and reassure them that everything is being done to support and protect them.
Many organisations will face a data breach sooner or later, and few have the infrastructure, resources, and expertise required to deal with the fallout. But the consequences don’t have to include financial penalties, reputational damage, or a loss of customers. By taking a customercentric approach and planning carefully ahead of time, enterprises can help ensure they’ll be able to respond successfully at the pace dictated by GDPR — and, more importantly, needed by their customers — and create a positive outcome to what could otherwise be a ruinous disaster.