There is no doubt that this is serious reputational challenge for the venerable brand that could impact customer confidence. Difficult questions will almost certainly continue to be asked about how it happened. While data breaches have been a regular fixture in the news agenda over the last few years, this is arguably the first major breach in the post–GDPR world, a fact that has important implications for crisis comms.
TSB's handling of bungled IT upgrade a recipe for reputational disaster
With the introduction of GDPR, companies who find themselves embroiled in data breaches need to act with far greater speed and decisiveness. The new rules place an important emphasis on informing people whose data may been compromised as quickly as possible. This in turn increases the pressure on affected companies to mount a swift and effective external communications response as quickly as possible.
In this particular case, BA has risen to the challenge and should be commended for a strong – textbook, even – crisis PR response.
The first priority was, rightly, fast and clear communication directly with those affected. Within the space of two days, the airline had contacted all customers involved to inform them of the breach.
This was supported by a robust and effective external comms response, in which the right actors have played the right roles and the script has been on point. The airline’s chief executive, Alex Cruz, has been the public face of BA’s crisis response and does not appear to have shied away from potentially difficult media appearances, such as a live interview on BBC Radio 4’s Today programme.
His visibility and willingness to submit to hard questions has underscored the importance with which the company treats the breach, its concern for the people affected, and the commitment to taking remedial action.
British Airways has apologised after the credit card details of 100s of 1000s of customers were stolen.
— BBC Breakfast (@BBCBreakfast) September 7, 2018
Here's @British_Airways boss Alex Cruz: pic.twitter.com/TLCi1sDE5P
Added to the speed of the response and the visible role assumed by the CEO is the third important ingredient: clear and unambiguous messaging that directly addresses the pressing emotions and concerns of affected customers.
The CEO has offered an apology, rather than equivocation and excuses, and has already promised to compensate customers who experience financial hardship as a result of the breach. Advertisements taken out by the airline in newspapers will also have helped ensure that these messages reach a wide audience.
Swift action, a visible CEO, a clear and effective script – the contrast with one of the more memorable PR crises to affect the airline industry in recent memory, last year’s bungled response by United Airlines after footage emerged of a passenger being forcibly removed from a plane, could not be more clear.
In this post-GDPR world, companies worried about the security of data should rightly take heed of how BA has stepped up, taken responsibility, and limited the fallout.
Alex Goldup is an associate director at The PR Office
