To state the understated, it’s been an eventful 18 months when it comes to the outbreak of cyber security attacks, data privacy violations and data breach issues.
In recent times, there has been an amplification of allegations made against companies across the world that extend from the use of personal data to garner marketplace influence, a rise in the exposure from cyber-attacks, to significant increases in the number of data breaches.
Arguably, if companies like Yahoo, LinkedIn, Equifax and Facebook are anything to go by, then the number and severity of data-related crisis faced by companies in the year ahead is only going to get worse.
According to a recent Global RepTrak® study fielded by the Reputation Institute in January-February 2018 across 15 countries and based on the assessment of more than 230,000 individual ratings, the risks associated with big data and how it’s used versus protected by companies is becoming ever more of a focal point for everyone, not just regulators.
Because of this, it’s no wonder that many members of the general public are thinking “it’s about time” that the General Data Privacy Regulation (GDPR) is going into full force across 28 EU countries effective 25 May 2018, in providing them with added safeguards when it comes to the use and access to their own personal information.
But from an enterprise standpoint, the coming into effect of GDPR could have significant implications for how a company is able to operate. At a minimum, the new regulation might not only impact a company’s reputation but also its bottom line, especially as heavy fines could be associated with non-compliance. So conversely for companies, rather than welcoming GDPR, they may be more concerned about data related violations that could result in fines as high as four per cent of a company’s global revenue, or up to €20 million. That’s enough to make a communications director from any major company to become wary of the implications, especially one that works for a highly data dependent company, and may cause many to withdraw into low profile, proactive risk management mode of communication.
Corporate communicators have good reason to worry about GDPR
While there is a clear and apparent benefit to consumers, there are a couple reasons as to why communications directors should tread carefully when navigating their way around the implications of GDPR.
- It hits at a social and macro-economic raw nerve - implicit trust is declining. Over the past 12 months the world at large has been impacted by a major strategic inflection point that has put all big companies under the microscope of trust. Since the end of 2016, perceptions of most major companies have taken a set-back on the key measures of trust that impact reputation, due to the reports of record profits, corporate tax reforms, emergence of fake news, tweet ranting, and emergence of the #metoo movement. With the growing backdrop of skepticism and cynical view of most major companies, only 38.5% of the world’s population trust any large company to do right thing based on our latest Global RepTrak® study in 2018.
That takes away from benefit of the doubt and license to operate for all large corporate entities. What it will mean for tech companies, who tend put less emphasis on presenting a more human face to the world, is that they will have to work even harder to earn trust. But in this regard, potential data privacy violations and negative issues related to GDPR could serve to further undermine lack of trust.
- It represents an elevation of reputation risk for all companies. The relative weight of importance of data privacy and informational transparency-related attributes is critical when it comes to defining reputation. As can be seen from figure one, when combining the derived importance of three key attributes pertaining to product information disclosure, data privacy practices, and responsible marketing across global companies, it accounts for 12.4% of the weight of reputation. That suggest that there is a lot at stake for a company when it comes to contravening GDPR.
Certain industries like financial services, retail and pharma might have even more at stake – although given recent events at Facebook related to the data privacy scandal associated with Cambridge Analytica and the alleged exploitation of up to 50 million personal profiles, one might conclude that the tech industry might be the most exposed. In looking at the same criteria related to product information disclosure, data privacy practices, and responsible marketing 13.3% of tech companies is at stake in relation to GDPR. This would suggest that perhaps the tech industry has the most reason to be concerned about GDPR.
Figure 1: Data Privacy Reputational Impact
- Data privacy violations can be costly, and could hurt tech companies the most - from top to bottom. In the court of public opinion, the reputational penalty for abusing data privacy rights can be severe. While this is universally true for all companies around the world, it would seem that the risk exposure to companies who play in the tech industry in Europe could be highly acute. In specifically looking at tech sector data in aggregate across the UK, France, and Germany for example, based on RepTrak data from February 2018, the real risk to companies is spelt out clearly.
In assessing the potential to contravene data privacy regulation and misuse sensitive customer data, Tech companies could take a significant reputational hit on all the dimensions that shape perceptions of the company, and not just on the perceptions of good governance that most align with data privacy.
As can be seen in Figure 2, the looming risk of data privacy violations can result in an overall statistically significant if not dramatically negative decline in reputation pulse among tech companies from 77.8 to 64.4 (-13.4 pulse points) but it also has a negative impact on all the dimensions that impact the company.
As might be expected, perceptions of governance – associated with honesty, transparency and ethical behaviour - can be highly impacted (-10.9 pulse points) but also perceptions of leadership are at risk (-11.4 pulse points). But what’s especially concerning, is how that translates to business KPIs, given that the potential impact on behavioural support. According to RepTrak data, at least 10.8% of universal stakeholder support among the general public could be at risk, with a potential significant decline in willingness to purchase that could really hurt any tech business.
Figure Two: Global RepTrak® Study Risk of Data Privacy Violation (For Tech Industry) EU5 Only
The timing and potential impact of GDPR does not bode well for Facebook
It would be a major omission to not talk about the impact of the new data regulations from the perspective of Facebook especially given recent events. In many ways, one might say that the very reason that GDPR is being implemented is to protect the general public from the events that underscore the so-called “Facebook Data Privacy Saga.”
Starting with accusations of influencing the outcome of the US presidential election through the acceptance of nefarious advertising dollars from Russia, and the recent data privacy scandals associated with Cambridge Analytica and the alleged exploitation of up to tens of millions of personal profiles,
Facebook is at the cross hairs of a major data related issues that could cause it to literally lose face – figuratively and literally.
It's complicated: Facebook CEO Mark Zuckerberg has been called to account for his company's betrayal of trust. / Photo: Getty Images
What’s concerning about Facebook relative to GDPR, is that partly driven by the erosion trust associated with large companies, partly driven by the increase of inauthentic fake news in social media, and partly driven by ongoing data-privacy concerns directly associated with Facebook, the company has already experienced an overall statistically significant drop in its global reputation across the G15 economies.
This decline was underscored by an overall erosion of reputation equity, not just based on the emotional measures that define buy-in and support for Facebook, but also on the critical dimensions that shape how people think about the company. Based on the Global RepTrak® study (see figure three) Facebook has a pre-existing vulnerability on the dimensions of citizenship and governance.
But what’s especially alarming, is that these declines in reputation were measured before the recent data privacy scandal and prior to the launch of GDPR which suggests this imperfect storm of circumstances could have further disparaging impact on Facebook.
Figure Three: Global RepTrak® Study – Facebook’s Reputation
Aligned with the decline in Facebook’s reputation, the organisation has seen an across the board decrease in behavioural support. Beyond the significant decrease in trust for Facebook that cut even deeper than the overall global trends, the company also experienced major declines in measures of willingness to recommend and say something positive.
Even the measures of willingness to invest are down, suggesting that Facebook might experience challenges related to its share price value in the months ahead. What would perhaps be most concerning to Facebook though is that measures related to license to operate is down 11% to an overall measure of only 27% which highlights that nearly three out of every four people around the world do not give Facebook benefit of the doubt.
But again, the major concern here is that this data was captured right before the “data privacy scandal” so the real impact on Facebook could be much worse than even presented here in the study. Most recent data from county level RepTrak® would suggest that Facebook’s reputation is already at major risk – across the EU5 countries of UK, Germany, France, Italy, and Spain Facebook’s reputation is down to 56.6 which puts it into the amber-alert range of being considered as highly vulnerable.
In the year ahead, continued developments from the investigations associated with the Facebook and Cambridge Analytica relationship, and the enforced clamp down of the GDPR, could further push the company into the danger zone of reputation.
Thus far, Facebook hasn’t helped itself in the way it has managed the data privacy issues, and the leveraging of Mark Zuckerberg as its primary spokesperson in response to the crisis has not helped. As recently personified by Wired magazine, the caricature of Zukerberg suggests his personal reputation has been somewhat tarnished.
Recent CEO RepTrak data from Reputation Institute would further corroborate this.
The negative impact on Zuckerberg is in part due to the initial radio silence on the issue, delay in investigate allegations, the failure to fully acknowledge and accept responsibility, and attempts to pivot while trying to deflect blame.
The combination of lack of action, less than full transparency, and perceived acts of evasiveness have served to undermine trust in him and Facebook.
And most recent public announcement and declarations from Zuckerberg have not necessarily helped to inspire confidence. Perhaps the bigger issue here is not that Facebook has been compromised by data related issues, but rather from a business management and corporate communications standpoint, it has failed to effectively manage its narrative – and we’re now at a point in time where its narrative is being more managed by Facebook detractors.
And for some less than fully prepared communications directors that could spell trouble.