The Corona Crisis is opening the eyes of administrators on the problems that one faces in a situation of crisis. “Damned if you do and damned if you do not” is the kind of response the administrators get from the people around us.
A similar crisis often confronts a DPO when the organization faces a “Data Breach”. Suddenly the media will pounce on you, the data subjects will bombard you with e-mails, the DPA will send you a notice, the CEO will shout, your peers will say “I told you so”, the Cyber Insurance company will send a notice, the customers will start reminding you of the indemnity clauses, CFO goes nuts….and like the German minister who committed suicide not able to face the economic crisis created by the COVID 19, the DPO will suddenly face a situation which could push any weak person into depression and resignation.
If the DPO speaks out without proper information he could raise the panic levels. If he speaks anything wrong, he can face liabilities for misleading… the problems appear endless.
The DPO in such a situation has to manage the internal and external communications and at the same time initiate necessary corrective actions, maintain the morale both of customers, data subjects and co-workers. This requires a special skill and maturity that most DPOs of the day have not been tested for. We know that our DPO is carrying different knowledge based certifications, has put-in years of service in reputed organizations, but we donot know how he may crumble when despite his honest and tireless work he would be accused by everybody of not being able to prevent the data breach and more importantly prevent the breach of the information of data breach to the media.
“Crisis Management Skill” is therefore an essential requisite of a good DPO.
“Crisis” by definition is an “Unexpected” event of disruptive proportions exceeding the “Risk Estimates” that are normally considered for mitigation. It carries an existential threat to the organization, and requires an out of box solution to stem the adverse effect quickly.
No amount of policies and procedures would help unless the essence of such policies are ingrained in the thinking process of the DPO. Just as an aircraft pilot faced with an immediate crash cannot think of reading through a voluminous manual and have to take an immediate decision on what to do next, the DPO has to take a quick decision often without any consultation with his superiors.
This calls for a “Decision Making” skill which is part of a good leader. To be able to make a reasonable decision within the capabilities of the person, one has to remain calm and not get panicky. If the DPO gets panicky then he would reduce whatever decision making skill he may actually have. Many drivers who panic in an accident situation often press the accelerator instead of the bake and cause more harm than what they could have done had they simply removed their foot from the peddle even if they had not pressed the brake simultaneously.
“Crisis Prevention” is definitely a strategy to remember and all our Information Security measures and Data Protection regulations are aimed at preventing a crisis from developing. But some day somewhere we may face a situation where the risk mitigation efforts have failed and the crisis has emerged.
Now the option before us is how do we handle the post crisis situation.
The first step in post crisis handling is to identify and control those within and outside the organization who would only worsen the crisis by demoralizing everybody around. Hence the DPO should learn to identify such elements and ignore them. The management should also recognize the possibility that all those who were inimical to the DPO will now take their daggers out and start accusing the DPO. Hence a “Disaster Committee” has to be formed with the CEO, DPO being involved in every decision.
The second step is to ensure that no “Mis information” is spread. At the same time the organization should avoid both false denials as well as pushing the problem under the carpet. Measured communication to the stake holders is of utmost importance. Setting up a Disaster information center to be a single source of contact for the public to know the impact of the disaster is also essential to prevent rumours being spread. Since the DPO’s email could be flooded in such a scenario, immediate technical measures to ensure that the load is disbursed to a back end support team to sift the queries and develop standard approved responses need to be organized.
If necessary the employees of the organization must be locked down in the sense that they should be prevented from communicating with the outside world about the crisis through a strict order whether some body cries out “Freedom of Speech” or “Privacy”. In a crisis situation, the rights of freedom of speech or privacy of the employees have to take a back seat.
It is only after such dousing of fire is attended to, can one focus on analysing the root cause, preventing further damage, making an impact assessment, reporting to regulators etc can take place.
To summarize, the requirements are
a) Stay calm and avoid panic
b) Lock down the systems and people from creating further damage
c) Set up a disaster center with a small number of decision makers like the CEO and DPO with support staff
d) Maintain balanced communication to the stake holders without deception or speculation
e) Ensure a single point information dissemination center to prevent rumors spreading
It is only after these preliminary efforts that we can consider the “Data Breach Notification”, “Forensic Analysis” etc which are all necessary but need to be prioritized.
Decisive leadership skills including team building, taking tough decisions, absorbing personal risks, not being afraid of failure etc will be required besides the ingrained knowledge and culture that enables the DPO to respond even in sleep in the right direction.
At the end of it all, one can try to draw lessons from the crisis and share it as a knowledge base to address similar situation in future including prevention and monitoring. While we do recommend “Sanctions” for most of the data breach incidents, crisis some times requires a fresh look since it may so often happen that the standard sanctions may require most employees to resign and go which may not be the solution for building a resilient organization for the future.
Recognizing this need, Naavi has designed the “Certified Expert Data Protection Professional” program to include a module on behavioural skills required for a DPO. This will be part of the FDPPI’s plans for extending the current knowledge modules such as Module-I, (Indian Laws), Module-G (Global Laws) and Module -T (Technology). The other two modules namely
Module A (Audit) and Module B (behavioural skills) represent skills to be cultivated before some body can be called an “Expert” data protection professional.
At present Naavi’s Cyber Law College in association with FDPPI is still building the base module of Module-I which focuses on the knowledge part of Indian regulations. Though the importance of behavioural skills and Audit skills are also part of the coverage in the base module, they will be expanded in the coming days with independent modules.