A guide to managing GDPR reputation risk factors
Managing a company’s reputation is complex so any online reputation management strategy must include risk management for consequences for any GDPR breaches.
Reputation management covers a broad spectrum of strategies, all with one thing in common – to boost the subject’s online reputation. A company’s reputation is governed by the external perception of its brand. This means everything online that mentions the business itself or an individual working there. So, while online reputation management may broadly seem to only be necessary for big brands or famous people, this is not the case.
While the brand value of a business can be damaged by many different eventualities, including but not limited to, negative media coverage, a viral Tweet from a C-suite manager, a poor response to a negative review, in this blog we’ll be assessing the reputational risks linked with the General Data Protection Regulation.
The General Data Protection Regulation (more commonly known as the GDPR) was launched across European Union member states in May 2018.
GDPR compliance is about proving that businesses monitor customer data and process data in the correct way. And if they don’t, the business may find themselves copping penalties due to data breaches or otherwise failing to comply with the regulation.
Before we go on to look at how data protection laws like the GDPR impact organisations, it’s worth noting that even though the UK has now left the EU, it is still subject to similar regulations.
The UK GDPR and the Data Protection Act 2018 also aim to build trust with customers by ensuring that businesses comply with strict data protection procedures. The new legislation is based heavily on the EU’s GDPR, with similar penalties.
Reputational damage occurs when businesses are found to be guilty of non-compliance. When this happens, significant fines can be levied against the organisation.
The risk factors include negative coverage of the GDPR related penalty that can cause a damaged reputation in the same way that a major cyber related incident.
Penalties for a data breach connected with GDPR can be severe. The regulations state that should the personal data of existing customers or potential customers (data subjects) be compromised in some way, then the business can be fined.
But when it comes to reputational risks, it’s not just about the fine. The financial cost to businesses for failing to ensure GDPR compliance will go way beyond huge fines.
Reputational damage can – and in many cases will – incur extra associated costs. These include the consequences of bad press, which inevitably leads to lost customers, the risk of declining stock and higher borrowing costs.
All of this can damage companies, stifle growth, hold back innovation and fail to show them in the very best light. Depending on the size of the company, and the severity of articles or media coverage, the risk to existing and potential clients and customers can be massive.
However, reputational risks associated with GDPR, whether in the form of a data breach or other failure of security surrounding personal data, are difficult to define.
This is because the reputational damage caused by these regulations to a company that is found to be non-compliant depends on many different factors. These include the size of the company, the industry within which it operates, how exactly it has been found to fail to adhere to the processes, the timing, and the length of investigation by the organisations assessing compliance.
For example, it’s likely that the bigger the organisations are, the more they must display full transparency surrounding the regulations.
Larger companies are likely to be under higher levels of scrutiny and therefore are at a higher risk of failing to manage data privacy for the data subjects in their care. In other words, their reputational risk is higher due to the sheer amount of personal data that they manage on behalf of the data subjects involved in their data collection and processing.
There is also the fact that larger companies are more well-known due to higher brand awareness among customers or potential customers. Certain companies work within industry sectors that are more stringently monitored by the EU. An example of this is the US tech sector, and businesses within this sector are at an even higher risk of the new regulations.
The flipside for larger businesses is that they are also far more likely to be well prepared, understand the law, adhere to the new regulations, and have solutions in hand to respond to any reputational risk associated with GDPR.
Higher-risk sectors may end up suffering less reputational damage due to the fact that they are prepared. Forced to understand the costs of failing to control data processing and comply with GDPR, their overall risk could end up being lower.
Companies that deal with data collection, data protection and all kinds of personal data for their customers, but operate within lower risk industry sectors, may end up dealing with more reputational damage due to a data breach fine or penalty.
The biggest factor that will impact the online reputation of the company that is considered to have failed to comply with data protection under these new regulations, is exactly how the regulators determine the breach.
There are many different reasons that a fine for non-compliance can be levied against businesses. Some of the reasons given for GDPR fines can be more damaging to the organisation’s reputation than others.
GDPR fines can broadly be divided as follows. Article 83 of the GDPR is titled ‘General Conditions for Imposing Administrative Fines’ and says that:
A rough example for the first level of fines would be companies failing to put in place data minimisation protocols. The second level of fines would be levied for non-compliance with data subjects making right to erasure requests without good reason or for collecting personal data without informing the data subjects.
Either breach of the regulations could negatively impact the online reputation and the offline reputation of the business in question.
Reputation management strategies should legislate for such problems, ideally by ensuring that data protection laws are complied with in all cases.
If a data breach is suspected, then the investigation alone is likely to see the stock price of the company fall. Coverage of the investigation in the media could also impact online reputation and drive customers away.
It’s not unusual for a data protection authority to take at least a year to conclude such an investigation. And, of course, at that point the news will further damage the company’s online reputation.
During this lengthy time, it’s possible that other factors come into play to further damage the reputation of the company being investigated. This could range from a new product launch that fails to gain traction or the customer experience coming under extra pressure.
When multiple factors come together, from ways businesses react to problems to noncompliance with regulations, it’s difficult to assess exactly which factor does the most damage to its reputation.
Large-scaled data breaches are relatively regularly in the press, showing that non-compliance with various data privacy laws are happening. This means that being the 10th company to be found in breach of the regulations rather than the first doesn’t control the fallout for the future reputation of the company.
Solutions should be found for compliance with data regulations and a process put in place to mitigate the kind of reputational damage that could affect the business in future.
Here’s what every business can do to protect their reputation through ensuring personal data is processed in line with GDPR. The following also includes the kinds of management plans that should be implemented to future-proof the security of the company’s reputation from all kinds of potential risks.