When it come to privacy and personal data of clients it is time for businesses and organisations to think beyond compliance and build a data-aware culture.
Why? Because a data breach can prove costly in many ways, from lost profits to a plummeting stock price and reputational damage that drives away customers.
Those were among the sentiments shared by Mark Thompson, global privacy lead at KPMG International, when he spoke to members of the Bermuda Chamber of Commerce.
Personal data handling is now an important component in the valuation of companies. Mr Thompson said a majority of Facebook’s valuation, a company with a market capitalisation of $537 billion, comes as a result of the huge store of personal information it has about its users.
He said that globally the value created by personal information is estimated at €660 billion ($780 billion) per annum.
“When you look at personal information and privacy you think about reputational value of organisations and the reputation it has on business,” Mr Thompson said.
Giving examples of the damage data breaches can have, he said Talk Talk, a UK-based telecoms company, saw its stock price fall 10 per cent after data relating to 157,000 customers was stolen in 2015. The company was fined £400,000 ($540,000) for the breach.
Last September, hackers gained access to the personal data of potentially 143 million customers of credit reporting agency Equifax in the US. In the space of seven days the company’s share price fell 35 per cent. Equifax has spent more than $100 million to remediate the situation.
Mr Thompson said the impact of privacy data breaches ranged from fines, negative impact on profit and share price, to litigation and increasing response and ongoing compliance costs.
Penalties will become tougher next Friday when the European Union’s General Data Protection regulation becomes enforceable. It covers the personal data of EU citizens and also addresses the export of that data outside the EU. It comes with stiff sanctions for non-compliance — such as fines ranging up to €20 million ($47 million) or 4 per cent of worldwide turnover.
He likened directives that were previously in force to “a domestic cat” that might give you a scratch, while GDPR and Pipa (Bermuda’s Personal Information Protection Act) are lions that, if annoyed “will take your arm off”.
Mr Thompson noted there was an interesting cross-border perspective with GDPR. “Think of an insurer with a primary residence onshore in UK or Europe, that wants to send data to Bermuda, they are told ‘turn that off, you can’t do that until it is privacy compliant’. For some organisations that could stop them existing in a couple of days.”
He said the issue is about trying to give customers control of their personal data, and two of the key factors a business or organisation should consider are trust and empathy.
“The more you behave like the individual, the higher the level of trust that individual is going to give you.”
He said empathy is the highest differentiator, and the more a product or service behaves the way a customer expects and likes, the more willing they are to trust the company or organisation.
“Privacy forces you to change relationship you have with the customer,” said Mr Thompson.
Organisations should be transparent with regards to the data they process about a customer, and individuals should have choice and be able to control how and for what their information is used.
In addition, Mr Thompson said businesses need to ensure there is constant communications with clients that reinforce how they are processing information. They should also give notification to a customer if they lose their personal data.
“You are going to see customers’ expectations change. If an operator does not offer the same control, that is going to become significant,” he said, adding: “Promise is key — if you say you are going to do something around personal information, make sure you do it and stick by it.”
He advised that companies should always resolve privacy issues. “Organisations that don’t just won’t be around. Others won’t come to do business with them because of potential reputational damage, and consumers won’t use their services.”
Mr Thompson said organisations should align privacy with their business strategies, “and understand what GDPR and other regulations mean and ensure they address them in a way, and with a level of maturity that helps manage that risk, but also gives them an opportunity to leverage that data”.
He said businesses should be clear where the lines are that they will not cross with regards to personal data.
“Get the balance right between the need to create value to shareholders with products and services, but also protecting the individual.”
He said organisations should ensure they have sustainable privacy controls and compliance. “A lot of people are looking at the regulations and controls and saying ‘okay, we will do it once’, and then the consultants leave and the lawyers leave and there is one person trying to manage the risk. It needs to be operationally built into what you do every single day.”
Mr Thompson concluded by saying: “Personal information is like electricity, it powers everything you do. GDPR and new regulations can give you an aftershock.”