This article appears in the Spring 2018 magazine issue of DOCUMENT Strategy. Subscribe.
When people think about the term “privacy,” they often focus on data breaches. After all, that’s what makes the headlines, but there is so much more to getting privacy right—and wrong—than the simple loss of data. For example, we’re talking about the use of data without consent, creeping people out with behavioral targeting and other customized services, the misuse of data by vendors without permission (as Facebook learned with Cambridge Analytica), and seemingly something new to add to the list with each technical innovation.
Now, the stakes are rising with the European Union’s looming General Data Protection Regulation (GDPR). Standing at more than 100 pages in length and the product of more than five years of legislative deliberations, it will redefine the way that privacy is managed across the globe. In the United States, we have largely focused on determining what is “deceptive” or “unfair.” Essentially, if your privacy notice tells people what you’re doing, you’re largely in the clear. Beware, web browsers, beware.
The GDPR introduces and codifies new rights for individuals over their personal data that’s collected and used by organizations. This regulation protects the personal data of all natural persons in the European Union (EU)—even non-citizens who happen to be within the territory of the EU when their data is collected. Further, its jurisdictional reach is such that any organization that is marketing to EU citizens, or processing the data of EU citizens, falls under its scope, regardless of where in the world that organization is located. With a potential penalty of 20 million euros or four percent of annual turnover, many companies are applying the new rules of the GDPR across their entire global business.
“Privacy and data protection are brand and trust issues, first and foremost. Increasingly, organizations are coming to understand that managing the risk of privacy incidents takes much more than simply throwing money and technology at data breach prevention.”
However, while the media and some compliance managers might be focused on that penalty, savvy organizations are more likely concerned about the damage to the brand that an enforcement action might cause. Further, it may be even a significantly loud complaint from a consumer organization alleging violations with the GDPR (or any other major privacy law around the world) that could cause more consternation than a simple fine.
The US Securities and Exchange Commission requires most publicly traded companies to annually disclose potential risk factors, including cybersecurity concerns, in what is known as 10-K filings. Looking through the disclosure statements of more than 100 of the largest publicly traded companies, we found that the loss of personally identifiable information (PII) of customers or employees ranks first among the information-related risks disclosed in such filings—even ahead of risks such as the loss of confidential business information or proprietary trade secrets.
In a recent IAPP study titled “Loss of PII Is Top Digital Risk for Public Companies,” we examined what these companies feared most when disclosing privacy risk. Coming in at 83%, the greatest consequence of concern was “reputational harm,” which was far more than the risk of civil litigation (60%), regulatory enforcement (51%), or remediation (50%).
Quite simply, privacy and data protection are brand and trust issues, first and foremost. When Verizon knocked $350 million off of its offer for Yahoo in 2017, it wasn’t because of perceived loss of revenue or fear of regulatory action. Verizon made sure it was protected from regulatory penalties and lawsuits by forcing Yahoo to absorb those costs outside of the deal. Rather, Verizon was simply diminishing the value of the Yahoo brand, which took not one but two major hits thanks to reports of a large-scale data breach, which was followed by news that the breach was even bigger than originally reported.
Increasingly, organizations are coming to understand that managing the risk of privacy incidents takes much more than simply throwing money and technology at data breach prevention. Rather, they are investing in wide-scale awareness training, hiring privacy professionals to prepare for breaches through proper data governance, and working to develop corporate messaging that makes clear the great responsibility they feel in collecting, handling, and storing personal data.
EU regulators have made it clear that they will be guided by consumer complaints, which will likely be driven by the lack of access to the rights provided by the GDPR. If your organization has been focused largely on breach prevention as a way to reduce privacy risk, it may be time to reevaluate your risk register.