Guy Fithen is the founder and CEO of Guy Fithen Associates, working with corporates and not-for-profits on presentational and communications issues, particularly crisis management. After starting his career as an actor with the Royal Shakespeare Company, he moved into the Financial PR sector, dovetailing a number of roles in that sector with returns to the entertainment industry as a performer and writer. Here Guy focuses on the reputational issues arising from data security under GDPR.
If you’re not worried about data security, you should be. People have tended to think that internet security is something that can be left to the IT department — the Board isn’t usually concerned until something goes wrong. But with GDPR, all that has to change because…
You’ve only got 72 hours. Under GDPR, if you have a cyber incident, you are required to make that known to the ICO [Information Commissioner’s Office] within 72 hours. My specific area of interest is on how companies and charities, NGOs, are going to be able to prepare themselves in order to communicate what has happened to them effectively and in a way that’s open, transparent, but in the same time minimises damage to their reputation.
You can predict the scenarios. These are some of the most likely: you’re going to get hacked, which is sometimes preventable and sometimes not; or somebody’s going to leave a laptop, which hasn’t been encrypted, on the train; or you’re going to dispose of some old computers and they’re going to turn up on a rubbish dump somewhere.
Create your Plan A. Make a long list of all the things that might happen and make sure that you’ve got a plan for each of those eventualities. Then prepare Q & A as to what you’re going to be asked, both by the authorities who are going to come after you, but also by your charitable givers and the people that you represent — as well as the press, of course.
Don’t play catch-up. if there are people that could be impacted by what’s happened you want to get your side of the story to them first. It’s much better to be able to tell them and give them the explanation rather than be playing catch-up and be defensive after the fact — nature abhors a vacuum. You’ll need to be able to be out there and explaining your side of the story well in advance, and you’ll only have 72 hours to do that, so prior preparation is really important, more now than ever.
Sometimes, the best spokespeople are not the most obvious. You won’t want, necessarily, to roll out your chairperson at the stage that something goes wrong, because you’ll probably want to protect them for a while and give them time to think and gather the thoughts and advice of those people around them. Sometimes there needs to be somebody who is very good on their feet and able to talk to journalists, to people who are firing very difficult questions at them, and remain cool under pressure. They’re not always the most obvious people within the organisation.
Have an emergency grab-bag. Once you’ve identified who those people might be, then it’s really important to give them a dry run, and a bit of practice, and a bit of training. You should give them all the support that they can possibly have, and they should feel absolutely confident that they’ve got an emergency grab bag somewhere, a little dossier. Maybe it’s on their mobile phone, or maybe it’s in paper form, that gives them a flowchart of what needs to be done in the case of an emergency, the steps that they need to take, the first 10 actions that they need to make on hearing that there has been a problem. That will enable them to get through the first few hours of a crisis. You then need to create a plan for how to take it on from there.
A crisis is much less of a crisis if you’re prepared. These are some very practical steps that aren’t very difficult, and don’t need to take up a lot of time, but will help enormously if and when you have to explain some sort of compromise of your data.
Cause & Effect is a series from Hope, in which leading figures who have been involved in building and promoting good causes tell us what they’ve learned from their experiences. Interview by Michael Isaacs.