Six years ago, the General Data Protection Regulation (GDPR) was first proposed to the EU. Two years ago, the EU passed the new regulation. And in 3 months, GDPR will take effect.
GDPR has a broad scope. We know just as much as anyone else about the new regulation. And we’ll have to wait for May to roll around to see how it will work. But considering how transformative GDPR will be and how quickly those 3 months will go by, everyone needs to start thinking and talking about it.
GDPR at a Glance
GDPR has two main goals:
- To give EU citizens more power over their personal data.
- To streamline international business involving personal data.
Given that the law is going to make major changes to any and all sectors in which EU citizens’ personal data plays a role, it’s no wonder that GDPR is an extremely complex piece of legislation, with a lot of parts that each require careful consideration.
Businesses foreign to the EU are required to comply with the regulation if they wish to offer their services and products to EU citizens. Most of the regulation directs organizations on how to handle personal data, but what would happen if they ever lost their grip?
Why Crisis Management and Business Continuity are on Our Minds
One article outlines this scenario, and it’s why we’ve got crisis management and business continuity on our minds: Article 33.
This section of GDPR pertains to data breaches. More specifically, the article outlines required actions for companies experiencing data breaches to take. In a nutshell, these requirements are:*
- Inform their respective supervisory authority**
- Inform any EU residents with negatively affected personal data
- Offer recommendations for mitigating the effects
- Direct EU residents to where they can obtain more information
- Document the whole event (for ensuring regulatory compliance)
All of this has to be done within 72 hours of the breach. With time as such an important factor, it’s easy to see why preparation for possible incidents is essential.
Planning and preparedness are at the heart of business continuity, crisis management, and risk management. We’ll have to wait for May (at the earliest) to see what guidelines, policies, standards, and certifications GDPR will require here, but there are already clearly established best practices that it will most likely become requirements in executing the law’s mandates.
*To read the full version of GDPR and Article 33, see gdpr-info.eu.
**Supervisory authorities will ensure companies maintain compliance with the regulation.
Best Practices: Crisis Management
A business’ response to an incident is known as crisis management. If you follow crisis management best practices, you already know what your response to any incident is. It’s all about having all of your ducks in a row before a crisis strikes.
Every crisis has parts the need to be played by ear, but anything that can be prepared for should be prepared for. Beam your notifications out. Assign your recovery tasks. Establish safe communication channels.
Don’t stop there, however. Keep your plans in arm’s reach and craft plans for every scenario. Know how they’ll function by running drills for each plan. You might not see every flaw on paper, but regular dry runs should make any leaks known (plus, your team will get some very valuable practice).
Crisis management is all about your response. Preparation and planning can do a lot of the heavy lifting for your business when a crisis happens. But how do you bounce back after everything’s been said and done?
Best Practices: Business Continuity
Recovery is the purpose of business continuity. Each incident will leave a unique impact on your business and will require special care to remedy entirely.
First, you’ll need to run some analytics. Business impact analyses (BIAs), risk assessments, and after action reports can help you recognize priorities, crucial tasks, downtimes, and the overall total impact. Use these to inform the next steps.
You’ll have to assign and perform tasks to get your business back on its feet. Apply the results of your analyses. Get your most important business functions back up and running.
Crisis management and business continuity are cyclic and inform one another. Don’t let your analyses gather dust. Inject the results into your plans to improve your response to the next crisis. You might even recognize the need for a new plan. Feed the whole cycle continuously to make sure your business is as prepared as possible.
GDPR: Takeaways and Lessons
Even if your business won’t be affected, GDPR and Article 33 are great reminders of how important crisis management and business continuity is. Anticipate what’ll happen and know how you’ll respond. Planning and preparedness are the keys to successfully handling an unexpected crisis.