We have all read the headlines and know that data breaches are costly incidents for businesses and organizations to deal with.And GDPR has been \u2018done to death\u2019 with the headlines warning about potential fines of\u00a0up to \u20ac20 million or 4 per cent of a company\u2019s global revenue once the EU General Data Protection regulation comes into force next May.However, the true cost of a data breach is much greater, and is something that is neither widely discussed or documented.According to the 12th annual\u00a0Cost of Data Breach Study, carried out by IBM\u2019s Ponemon Institute, the\u00a0average total cost of a data breach in the UK in 2017 is \u00a32.48 million, with the average cost per lost or stolen record \u00a398.\u00a0\u00a0But looking at average costs is never going to really give an informative picture as to what a data breach would mean for your company and, where personal data is lost, those affected.We hear a lot about reputational cost of a data breach, with the accompanying publicity purportedly considered potentially more damaging than any monetary penalty, especially in terms of consumer confidence. But with high profile data breaches happening pretty much every week it is fast becoming the norm and consumers are fast becoming ambivalent.One wonders if the old adage of \u2018no publicity is bad publicity\u2019 is becoming relevant. It certainly seems that way at the enterprise level.\u00a0\u00a0Preventing and surviving a data breach are two different beasts.\u00a0Surviving a data breach means effectively anticipating it before it happens and, I can already hear the groans at the dreaded policy building, but putting a disaster recovery policy in place that really details what to do in the event of a data breach is the key to survival.\u00a0When the inevitable happens, having the machinery already in place to deal with the fallout could mean the difference between survival and bankruptcy, especially for smaller companies. I will leave prevention for another blog.The process for building a data breach disaster recovery policy is relatively simple; it\u2019s about anticipating requirements.\u00a0Meeting the relevant obligations in terms of regulation is a good starting point.\u00a0Finding out how a breach occurred can mean hiring an external forensic investigator or at the very least allocating in-house staff resources.Then you should establish who was affected by the breach and seek legal advice as to your obligations to those affected; which may mean factoring in credit monitoring services for consumers.You must know what laws apply to the breach, identify who must be notified and how soon you need to act. Document the process and timeline and factor in the costs of notifying any individuals affected. This could be directly by mail or email and through other media outlets. Depending on your size you might need to factor in a call centre as large volumes of customers will be calling you whether they are affected or not.\u00a0Imagine how many of Talk Talk\u2019s 4 million customers called them to find out whether it was their data that was lost. If you don\u2019t have in-house public relations expertise, hiring a PR firm to help direct and manage your message to the media and public would be a good idea.Then you must deal with legal costs from a government agency investigating you because of a breach, and consider the potential for class actions, especially since 2014 when the consumer no longer has to prove personal damage to make a claim.\u00a0 And all this before you get to any monetary penalties.Other costs are more specific to a company such as loss of income from a data breach, the cost of recreating lost or damaged data and lost opportunity costs.The resource cost of a data breach can be huge. Investigating data breaches takes up valuable time and takes employees away from other tasks. Then there is the human cost, with potential job losses resulting from a loss in business.Data lost might not necessarily be of a personal nature, but rather intellectual property, which opens up other avenues of potential consequences; if you lose IP you lose your competitive advantage.\u00a0Whether you lose consumer data or your company IP, in the worst-case scenario your business could go bust; many have.The cost of repairing the effects of a data breachThe simple fact is the cost of repair after a data breach is 10 to 100 times higher than preventing it in the first place; detection, prevention and reporting are key.\u00a0\u00a0Even if you think you have covered yourself as much as you can, with data loss prevention technology or endpoint security solutions, there is still the potential for a data breach; nobody\u2019s infallible.\u00a0This highlights why there needs to be a data breach incident response plan in place from the highest level downwards in all businesses and organisations, no matter the size.There needs to be a paradigm shift in information governance. We are slowly seeing this shift in responsibility in the largest organisations, from IT departments and chief information officers (CIO) to active board level recognition of the risk.But until there is a wider recognition that information governance and disaster recovery planning is integral to the health and wealth of a business or organisation, there will still be a significant risk not only to individual companies but also to UK PLC and the economy as a whole with data now recognised as the new currency.\u00a0 Don\u2019t let your business become a statistic \u2013 plan ahead.