How fines from data breaches can impact company reputation
The importance of reputation - and a good reputation - for an organization can't be overstated. The collective perception of a company is vital in the long run.
The importance of reputation – and a good reputation – for an organization can’t be overstated. Not only are the personal reputations of executives, partners, and C-suite individuals important, but the collective perception of a company is vital in the long run.
Companies, regardless of industry sector, that manage to build a positive reputation attract customers. This is partly because they are more likely to attract impressive employees, but their performance is also enhanced.
There are many statistics available that support the idea that effective reputation management for firms, no matter where they are based around the world, ensures sustained growth, happier and more loyal customers, and lower costs.
For example, according to the Harvard Business Review, up to 80% of the market value of a company isn’t derived from what they make or sell. Rather, it comes from less tangible assets, such as intellectual capital, strong relationships with customers, the impact of marketing and advertising, and the collective reputations of everything that makes up the brand or business.
An interesting phenomenon is that, despite the acknowledged important of a good reputation for a company, the majority do not have an online reputation management strategy.
Of course, the approach differs according to the business sector, the person or people leading the online reputation management strategy and how deep their understanding goes regarding what can and does affect reputation.
The most common focus regarding reputation, in our experience, is on crisis management. This is where a company’s reputation suddenly matters more due to threats caused by a specific situation, such as a negative review that’s gone viral or something much worse.
While crisis management may seem essential, it’s far more beneficial to proactively manage reputation risk.
Reputation risk does not have a single, defined framework to follow. Rather, personal reputations must be managed, along with the company itself.
We’re not going to cover everything that can – or should – be done to manage reputation in this blog. For more examples of different aspects of risk and reputation management head to reputation management experts, Igniyte’s website.
Rather, we are going to look at data breaches and how GDPR compliance is essential to forge good reputations for businesses in the UK and the EU.
Any companies failing to comply with the GDPR (General Data Protection Regulation) are at risk of being fined and at risk of dealing with the fallout of a bad reputation.
To develop a coherent and workable reputation management plan, it’s necessary to follow every process.
Along with excellent customer services, oversight of reviews and working to create and develop a strong reputation, companies must also prove that their accuracy with regulations are followed.
We’ve talked briefly about the kinds of nebulous factors that can impact the reputation of a company anywhere in the world.
And while approach differs when it comes to various services and marketing decisions, there is good reason to also comply with strict regulations.
The conversation over the past few years regarding the media and online information collected by companies has grown.
To communicate with consumers about how companies are expected to deal with their information, the European Union introduced the EU GDPR in May 2018.
The GDPR applies to every country within the EU and to a couple outside. And while in the past the UK was subject to the GDPR, now that Brexit has been implemented, it’s a little different.
For example, the UK version of the GDPR operates along with the Data Protection Act (DPA) of 2018 to process personal information linked to UK residents.
Every company in the UK now must be aware of both the EU GDPR and the UK GDPR, as fines and penalties differ.
Regardless of how and where the penalty is issued, there is good reason for every company to do all they can to avoid them. A bad reputation can outweigh the positive, even if it was a long enjoyed positive reputation. And an article in the media giving examples of data breaches can lead your company off track very quickly.
Consumers do read reviews and they do take notice of the kind of media coverage that could turn them toward competitors.
A conversation regarding GDPR compliance should have been underway for every business long before the legislation came into force in 2018.
Regulations surrounding personal information of consumers are strict and can take twice the time you might expect to comply with.
When it comes to fines for infringements, the UK and EU GDPRs differ.
A maximum fine of £17.5 million or 4% of the annual global turnover (whichever is greater) can be issued under the UK’s version of the laws.
The fallout from this to the health of a company can be much worse than simply monetary. Examples of business reputations coming under fire in the media can be easily found online.
For example, Amazon may represent one of the most successful brands ever to exist, but its reputation is generally poor. And this was compounded by a massive £636 million fine under GDPR in August 2021.
Reputations of huge businesses like Amazon won’t, of course, be broken by examples like this. However, without the support that comes with being a multi-national Big Tech behemoth (something that has been long enjoyed by Amazon), the damage to reputations can be far greater.
The EU GDPR has set a maximum penalty of €20 million (just over £17 million at the time of writing) or the same 4% of annual global turnover.
In the first few weeks following GDPR being launched in Europe, Germany’s regulator was the most active.
The regulator managing GDPR in Germany in the last half of 2018 issued around 60 fines, and the examples are interesting because they include small and medium sized brands as well as larger companies.
For example, a business fined under GDPR at the time was knuddels.de. This social media company was fined for failing to secure the personal data of customers following a hack.
While the hack wasn’t their fault, the fact that the company had failed to encrypt the email addresses and platforms of 330,000 of its users was their fault.
By failing to support the privacy and security of data breaches, the business risked its reputation. Research shows that this is far from a one-off, with business after business displaying a laissez-faire attitude to their reputations.
More examples of GDPR infringements can be seen in this BBC article, and all these companies also took a hit to their reputation.
A justified reputation would be where every business takes the time and reviews their processes to comply. The article above shows that this is far from the case, even when it comes to some of the biggest and most established companies out there.
Penalties for infringements of GDPR aren’t limited to fines. Every country has its own regulatory authority that takes a slightly different line.
For example, the UK’s Information Commissioner’s Office (ICO) can also issue warnings, impose a ban on information processing, order the restriction or erasure of information or suspend data transfers to other countries.
All of this is why the GDPR has a justified reputation for complexity and strictness.
When it comes to reputation management, we’ve talked briefly about how it’s not just about the overarching brand or business – the reputation of a person can be just as important.
There are far more examples of how an individual’s reputation can be damaged that move beyond GDPR, of course, but it’s still worth looking at how a person can be impacted.
The circumstances under which an individual can be fined relate to how the information is collected and processed.
If the personal information is processed by an individual rather than an automated process, then that person is also liable. It doesn’t, however, count if the information is used for household or purely personal reasons.
There are three things that can be considered when trying to work out your company’s reputation risk.
These include whether what is generally considered to be its reputation externally is greater than the real character and heart of the business.
The other two cover internal management of reputation and how much the external reputation can be expected to change over time.
Reputation is all about perception, of course, which makes it complex to effectively manage.
A company reputation covers so many different aspects of its role.
The overall reputation or a business should be considered in the context of what its reputation is considered to be among stakeholders. These range from customers to employees, and from regulators to NGOs and the communities within which it operates.
Drilling even deeper, each of these stakeholders has an opinion about the company across all kinds of categories. These range from its finances to customer service, how well (or not) it handles environmental and sustainability concerns, its intellectual capital, whether it complies with regulations governing customers personal information and much more.
As a brand or business, you must have a good reputation across multiple categories and from multiple stakeholders to consider your reputation positive.
Managing reputation is not about creating a myth about the company, brand, business or individual.
Sooner or later, if a company’s reputation is governed by PR fluff or fake opinions, it will fail to uphold them. And then it will be in a reputation crisis, for which it may or may not have contingency plans.
A common example of businesses failing to protect their reputation in this way is seen with the over-exaggeration of environmental or sustainability credentials. While this kind of story can be told in the media or through judicious press releases, as soon as it becomes clear to peers and consumers that the spin outweighs the actual character of the company, then the reputational hit can be extremely damaging.
The aim of every business should be to manage its reputation well before any kind of crisis is ever reached.
Let’s return to the importance of regulatory compliance in maintaining a positive reputation. Since 2018 when GDPR first took effect, fines (and therefore infringements) have increased exponentially.
According to the GDPR Fine Report 2021 from IT Governance, we can see how it’s changed over time.
In 2018, 16 fines were issued for breaches of GDPR across the EU, totalling €519,086.50. By contrast, in 2021 there were 429 fines issued totalling more than €1 billion.
And while a number of these are colossal fines issued to businesses such as Google and WhatsApp, smaller examples show just how damaging data breaches can be.
On 22 October 2021 for example, the ICO fined HIV Scotland for the way they sent out an email to 105 people. Because the company failed to blind carbon copy (BCC) and instead opted to carbon copy (CC), the personal data of people with HIV was circulated to everyone.
In this case, the ICO determined that the small charity’s bulk email distribution system was not compliant with the regulations and fined them. This can take away the good work that a company is known for, and severely damage its reputation. While it’s not clear that this happened to this charity, its risk management for data breaches and potential damage to its reputation were not there.