Eye-watering fines, public naming and shaming, embarrassing night-time raids from the ICO and damaging headlines on the evening news. Since the EU spearheaded the new era of data privacy with the introduction of the GDPR last year, most change has been sparked by fear rather than promise. Now things are changing.
As businesses come to understand the true value of the personal data assets they hold, enlightened companies are looking beyond the question of compliance. Today, it’s no longer just about doing the right thing because the regulator will come down on you if you don’t. It’s about doing the right thing for customers to earn their trust and support the very best business relationships, explains trust-hub’s Ian Bryant.
“Last May, when the GDPR fear factor was at its height, few companies were really thinking strategically about how they handled data privacy. Doing the right thing was no more than a box-ticking exercise to achieve the minimum requirements that kept the regulators happy.
“Here at trust-hub, we’ve always said that compliance isn't the focus but the output. Today, when we talk to enterprises about data privacy they want to understand how good personal data governance can support much more meaningful business goals.
Treating privacy as a priority, nurtures trust
‘How can we use data governance to better manage business risk, strengthen customer loyalty and thereby improve our bottom line?’ or ‘What is the ROI on good data governance?’: these are the kinds of questions CEOs are asking these days. Businesses have come to understand that treating privacy as a priority nurtures trust and supports good, ethical business practice. This, in turn, delivers genuine business advantage. If your colleagues, business partners and customers don't trust you, they have little reason to stay.
Brands such as Facebook and Marriott have involuntarily driven this point home in recent months. Both have taken big hits with million-dollar payouts due to data breaches. But the real loss they have suffered is the knock-on effect that comes with reputational damage.
Released this summer, IBMs “Cost of a Data Breach” report tells us that the average data breach in the United States exposes 25,575 sensitive consumer records and carries an average cost of $8.19 million per cyberattack, but about half of that cost ($4 million) is due to reputational damage and subsequent customer loss.
What can your organisation do to make sure it doesn't become the next Facebook or Marriott?
“Rather than just focusing on the regulator, businesses have come to recognise that, when used to underpin trust and ethical values, personal data governance becomes the real differentiator that promotes better, more meaningful and more valuable business relationships.
Understanding that data privacy is more than just a box ticking exercise represents the first big step towards positive change. Co-workers, business partners and customers need to believe that the privacy policies you administer are there to protect their best interests, not yours.
“For today’s digital generations, trust and ethics must come as standard. Whether it’s online banking, e-commerce, government services or social media, customers expect no less than privacy excellence from the operations they interface with. When companies fail to meet this gold standard, business suffers.
“To achieve this excellence, companies need to know what personal data they hold, what they are using it for and where it is stored. Many don’t: The world’s largest professional services business recently ran an exercise with c-level executives to discover that most CEOs didn't know what personal data their own operations held. Crucially, they also need to know exactly what they would do if a data breach were to occur.
“Response to a data breach is often just as important as preventing an attack in the first place, as seen in the case of British Airways (BA). BA not only admitted to their mistake but was quick to share what they were doing to fix the breach. This level of transparency is arguably what Facebook lacks in its approach to deal with its privacy issues, which has led to a drop in both customer faith in the company and in its share price.
When the ICO stated that “personal data is just that - personal”, the clear implication is that businesses owe a duty of care to the data subject, not to the regulator. Indeed, the recent fines for British Airways and Marriott clearly demonstrate that regulatory box ticking is not a mitigating factor. Put simply, if you don’t implement controls to look after your customers and employees data, you are not looking after your business. “This bias towards the data subject, not the regulator, underpins everything we do at trust-hub. The way we look at data protection or data privacy has always been around the individual. Demonstrating regulatory compliance is an important factor here, but the real value comes when good personal data governance is used to reduce the risk to the individual and deliver a better customer experience. Achieving true transparency is the goal.
“Our models and resources don’t just flatter regulators but actively help to protect organisations and their entire stakeholder community. We believe that trust and transparency should permeate through all levels within an organisation and its partners.”