When the most significant positive brand association you can have, could become the most negative one in an instant, you need to take it seriously

For years a key aspect of branding has been focusing on issues like diversity and sustainability, issues that consumers value most and that they expect brands to take a stand on. Organisations have spent a fortune on Corporate Social Responsibility (CSR) programs to promote worthy agendas or causes such as these in order to gain positive brand association.

Recent research has shown that a new issue has emerged from almost nowhere to top the list that consumers care most about. Data security and privacy is now the thing that consumers want brands to be talking about, rather than their diversity or sustainability efforts.

A recent research report from FleishmanHillard Fishburn entitled ‘The Dying Days of Spin‘ looked at the issues that were most important to consumers across all industries and sectors (not just tech). Many of the issues that it found to be of greatest concern, such as healthcare and education, were ones that consumers expected the government to act on. Interestingly, the main issues that consumers expected companies to act on are now security and privacy, surpassing things like diversity and sustainability that had previously topped this list.

For years consumers have simply trusted that technology would work and that companies would use their data responsibly. A series of high profile incidents has shaken this trust and it will take years to recover from this and to rebuild the level of trust to anywhere near what it was.

For software and technology companies, the connection between data privacy and corporate responsibility is evident. For the very first time, industry analyst firm Gartner has listed digital ethics and data privacy as one of the top ten tech trends for the year ahead.

Even in non-tech industries, however, privacy has become a major issue. 80% of UK consumers surveyed by FleishmanHillard Fishburn have stopped using the products and services of a company because the company’s response to an issue does not support their personal views.

With digital ethics and data privacy topping the list of issues that consumers currently care most about, it is clear that now id the time to take a stand on digital ethics and data privacy, but what if you do so and then a major disaster occurs – what if you suffer a significant data breach or security issue?

You cannot avoid data privacy.

A new data regulation, GDPR, now applies that affects any organization handling the personal data of EU citizens no matter where the company is located, meaning that even U.S. companies which process the personal data of individuals residing in the EU have to comply. The regulation mandates prompt disclosure of any data breaches, meaning that if or when things go wrong, there can be no covering it up.

Whether or not they choose to take a stand on data privacy, all organizations face the risk of encountering a data breach at some point. Their priority needs to be the introduction of a culture that takes the issue seriously and thereby minimizes the risk of any breach.

The potential damage is massive:

  • The cost of resolving an issue: The WannaCry attack back in 2017 is estimated to have cost the NHS £92m. The figure includes £19m of lost output (based on 1 percent of NHS care being disrupted) and an eye-watering estimate of £73m of IT cost in the immediate aftermath to actually fix everything.
  • The significant fines under GDPR: Facebook was recently fined £500,000 by the UK DPA, the Information Commissioners Office, for the Cambridge Analytica scandal, but that was under the old regulatory regime. Under GDPR the fines could reach as much as €20 million, or 4% of annual global turnover – whichever is higher.
  • The threat of being unable to process data: Possibly more significant, however, than the fines is the ability of DPAs to suspend an organization’s permission to process customer data, an action that would bring your operations to a complete standstill.
  • The reputational damage: Finally there is the potential reputational damage of any incident. Given that your brand is often your most valuable asset, this could eclipse all the other costs combined. Facebook suffered the largest single one-day loss of share capital in history ($119 billion) when its shares dropped 20% after one recent disclosure.

Too many organizations, however, see data privacy and security as an issue for the IT department only, overlooking its broader reputational impact. In an environment where trust, good governance and transparency are key, organizations who do not link the risk of data privacy and security to the potential reputational risk are fooling themselves. The 2018 Global RepTrak® report from the Reputation Institute (https://www.reputationinstitute.com/research/2018-global-reptrak) clearly demonstrated that different areas of a company’s corporate reputation can be impacted during and after a data privacy or security-related crisis.

Not only will the perception of governance and leadership suffer, but also universal stakeholder support and brand loyalty among the general public could be put at risk. This kind of support correlates with the purchase consideration of stakeholders and could have a severely negative impact on the bottom line.

Although this area of research was focused on the tech sector, it is clear that data privacy and security related risks should be on the reputational agenda of companies in other industries as well. Many studies have shown that in other industries like finance, retail, and healthcare, up to a third of clients will stop doing business with organizations that experienced data privacy and security breaches.

It is time for corporate communicators and public relations professionals, those responsible for the reputation of their organization, to step up and incorporate data privacy and security risk into their crisis communications planning. If you think GDPR was a “nightmare”, just wait till when hackers strike. And it is probably more a question of “When” and not “If”.

Taking action

When such an incident does occur, firms not only need to fulfill their regulatory obligations by promptly disclosing any breach to the regulator as well as any impacted customers, but they also need to counter any hysteria or misinformation that might arise which could interfere with their business or impact their brand.

Often the best way to mitigate or minimize the damaging impact of any incident is to engage with key privacy activists and social influencers. You cannot just do this at the last minute when you are facing strong headwinds once an incident has occurred. Relationships need to be built in advance and mutual trust established in advance and over time, such that if or when an incident then occurs the trusted relationship can be used to counter whatever hysteria or misinformation the brand encounters.

So who are the top global social influencers for important issues like privacy:

  • PAID: Use influencer management tools from firms like Onalytica.
  • FREE: Use the information that these firms provide for free, like topical influencer lists or profiles of top influencers (Example: http://www.onalytica.com/blog/posts/interview-with-bill-mew/).
  • FREE: Search on Twitter to see the highest ranked profiles for #Privacy.

The recommended path is therefore:

  • Take digital ethics and data privacy seriously NOW – you are no longer allowed to hide breaches, so take the issue seriously and minimize the risk instead.
  • Decide how public you want to be about taking a stand on digital ethics and data privacy – there is much to be gained in brand equity and competitive advantage from aligning to this key concern of your customers, but at the risk of more fallout if things go wrong.
  • Start engaging with key privacy activists and social influencers now so that any mutual trust established can be used to counter hysteria or misinformation if or when things go wrong.

Your customers want you to take a stand on data security and privacy – seeing it as more important than either your diversity or sustainability efforts. It’s up to you how proactive and public you are with this, but either way you need to be minimising the risk of a breach and also establishing the relationships with key influencers that will then enable you to weather any storm more easily if and when it comes.

Philippe Borremans also contributed to this post.