A new frontline in corporate reputation

Under GDPR, data privacy and security will become the new frontline in corporate reputation, and companies that strive to better understand their customers’ fears and needs will have a profound opportunity to strengthen their loyalty.

According to our survey of 2,000 adults, 64 per cent of people currently trust companies with their personal data. The strongest reasons for trusting companies are because ‘they are an established brand/have a strong reputation’ (29 per cent) and because ‘they have been my provider for a long time’ (18 per cent).

Specific data practices, such as transparency relating to data privacy policies or using data for reasons other than its original purpose, are considered to be less important, although this is in many ways a false distinction to make. If companies fail to shore up their data defences, it is their brand that will take the hit.

Trust is highest in banks, followed by insurers, then energy companies, and final television, phone or internet providers. This is likely to be primarily due to customer understanding of the complex regulation banks have to adhere to. The low churn among banking customers compared to energy or internet providers also works in their favour.

However, although long-standing relationships and brand reputation are important, transparency and communication also matter a great deal. Our findings reveal that trust is correlated with knowing what data companies hold on them, true for 54 per cent of bank customers compared to only 40 per cent of energy customers.

This is partly because banks are considered by 55 per cent of people to send ‘the right amount’ of communication regarding their personal data, compared to 46 per cent in other sectors. On average, a third of people (33 per cent) currently receive no information whatsoever about the personal data held on them.

Going forward, the companies that customers trust to protect their data will not necessarily be those that claim they are the best at data privacy, as Marcus Scott, Scott, chief operating officer at TheCityUK, points out: “If you think of the brands the public trust, it’s not because they say they’re trustworthy, but because they demonstrate it. Firms that say they have the best data guardianship in the industry may be setting themselves up for a fall.”

To earn a reputation for good data privacy management, companies need to show it matters to them through action. This will mean ensuring personal details given in one context are never used for other purposes, providing information that genuinely benefits customers rather than ‘marketing fluff’, and responding quickly and fully to customer queries about how their data is stored and used.

Ear of the board

Reputational risk is a board concern. As such, it is the board’s responsibility to actively monitor and oversee data governance activities.

However, not every board is ready to accept data governance as a commercial and strategic driver, and chief data officer is not yet a standard senior level role. Edward Tarelli, director of operations at

E.ON, is concerned about the possible effects of this gap: “My worry is that many organisations have a middle manager focused on GDPR who doesn’t have sufficient access to senior executives.”

That said, data governance is becoming a much more professionalised activity. Chief data officers, where they exist, act as guardians of data within a company and determine the data governance strategy. They have technical knowledge, legal awareness and business insight. Companies without one need to create this position and give their CDO a seat at the executive table.

Data breaches: preparing to respond

Preventing the loss of confidential data is paramount. But being prepared to act if something does go wrong is also critical to an effective data governance strategy.

Our research reveals that companies could risk losing up to 55 per cent of customers if they suffer a significant personal data breach. As many as 30 per cent of affected customers would ‘switch provider immediately’ and a further 25 per cent would ‘wait to see a media response/what others say and do’ before switching.

Given the expected rise in data breaches under GDPR , this potential threat to customer retention highlights the choices companies need to make now, for the sake of their business.

Companies would be wrong to assume this is an issue the public are unaware of or uninterested in; our research shows customers are becoming savvy about data protection. As Edward Tarelli describes: “Highly visible cases of recent data breaches have brought data privacy and security to the forefront of consumers’ minds.”

Yet, many firms will fail to get their data house completely in order before GDPR’s  May 25 deadline.

In our experience, nearly all companies have multiple versions of customer information saved to different systems. These firms cannot trace the source of their data or confirm its validity. They also struggle to establish a lawful basis for each data processing activity, exposing them to higher risk of a data breach.

Under GDPR, it will be critical for firms to establish integrated data systems for the secure storage of personal data and the processing of subject access requests.

A robust infrastructure not only protects, it also enables meaningful insights to be derived from that information. This will allow businesses to act quickly and flexibly to respond to changing trends, giving them a competitive edge.

Lightning could strike twice

Even if customers do not choose to switch provider in the event of a data breach, because the perceived hassle factor is simply too high or they believe they are safer staying where they are, a loss of trust is inevitable and no company is immune from a second lightning strike.

The definition of a data breach within the GDPR is extremely broad and will require companies to consider the full range of scenarios that could occur. Breach management processes will need to accommodate additional requirements that necessitate a formal response and notification to the ICO where people’s rights and freedoms are at risk, and no later than 72 hours after having become aware of it.

At the same time, companies will need to engage internal or external experts and escalate the situation to the accountable executives without creating overly burdensome operating processes. They will also need to be prepared to tell customers if their data was affected, whether they need to change their passwords and any other sensitive information, and if the leaked data could be further compromised.

Contagion effect

Companies should be warned: rightly or wrongly, customers will look across the entire sector if a firm experiences a leak. As Edward Tarelli explains: “I’d be very concerned if any organisation in our industry, regardless of size, had a major breach because it would pull the rest of the industry into that negative perception.”

Companies cannot be fully protected against this, but they do have options. Peter Jackson, chief data officer at Southern Water, acknowledges there is a choice to be made: “Companies need to consider what they would do in the event one of their close competitors experiences a data breach – whether they would acknowledge it and release their own communications to reassure customers or just wait and hope it doesn’t affect them too.”

Whole team effort

Many companies will treat GDPR primarily as a compliance or an IT issue. Clearly, technology will play a huge role in preparing for implementation and it would be foolhardy not to ensure compliance. But what good management teams should strive for is buy in from the whole team.Telling staff that GDPR is the law and we simply have to live with it will not ensure continued compliance, nor will it get the team working together to exploit the potential commercial opportunities the regulation brings.

For GDPR isn’t just about being prepared for a crisis. It is about proactively speaking to customers and explaining what data is currently held on them and why, so you can engage them in a healthy and commercially beneficial conversation. Just the exercise of finding the data and understanding where you obtained it from presents a massive opportunity.

Carrying out re-consenting requests, for example, is a chance to capture more data on your customers, so you can make sure they get the right products to satisfy their needs.

Ultimately, companies should strive to be in a position where customers actively share additional information with them because they are trusted to use it well. Get there and a whole world of opportunity opens up, in creating truly bespoke products and services, anticipating and responding to changes in behaviour and trends, and rewarding and retaining customers. GDPR can set a new path for growth.

The article is extracted from the full report, GDPR: The new frontline in corporate reputation, available for download at www.baringa.com.

Dan Golding

Dan Golding is director of Risk & Compliance at management consultancy Baringa Partners LLC. He has over 15 years of risk and regulatory change experience across financial services, energy and media. Dan leads Baringa’s GDPR capability and has worked with clients globally to assess the impacts of the new regulatory obligations, design compliance strategies and mobilise transformation programmes to mitigate risk. Dan regulatory publishes thought leadership on data privacy and security, and contributes to numerous publications, industry working groups, forums and conferences.