The impact privacy laws, such as the California Consumer Privacy Act and EU General Data Protection Regulation, have for organizations goes beyond just privacy. This is similar to other regulations, such as the U.S. Sarbanes-Oxley Act of 2002, which changed the corporate world permanently. Challenges for management and the controls needed for implementation deeply reflect that, as they span across departments, information systems and business processes.
How companies deal with such laws and obligations obviously has a huge impact on enterprise and brand risks. It is often noted that an insufficient level of privacy protection or breaches of personal data may lead to loss of consumer trust and damage to businesses' reputation.
On the other hand, not enough is said about the opportunities to leverage CCPA and GDPR efforts when mitigating brand reputation risks that would otherwise still be there. Brand risk is perceived by many to be the most significant risk area for global companies in the years to come and being able to leverage an existing privacy program might be the first step toward a comprehensive and holistic brand risk management.
What are the main overlapping areas?
The biggest impact is ethics. Companies and businesses perceived as unethical face an existential threat. In the long term, this is also detrimental to their brands. Restoring good standing for such brands might be difficult if not impossible.
At the same time, building and demonstrating ethical posture takes ongoing internal and external efforts. With CCPA and GDPR programs, companies can demonstrate their ethical behavior by respecting consumer privacy, being transparent and living up to their promises on how they handle data, respecting individual rights, proving trustworthiness and putting ethics before short-term profits.
Long-term profits usually require meeting consumer and societal expectations, and thus, they would rarely need to be sacrificed. Importantly, within the privacy program itself, a deep notion of ethics and ethical data usage must be considered as a cornerstone and basic tenet underpinning the framework and processes. The reasons why we collect personal data, how we use them and any decisions based on them should be fair, and we need to be able to justify this in practice.
Secondly, it is about organizational maturity.
This is still important for consumers but even more so for investors. Privacy and how you handle personal data is deeply intertwined with almost all business processes and activities. Being able to identify, manage and control such processes says a lot about the company, its brand and overall level of governance, risk and compliance programs. Whether compliance and privacy requirements can be integrated into all functions and activities demonstrates the overall management practices of the business and whether it can swiftly and efficiently react to the changes, as well as proactively manage business objectives in light of evolving risks.
Again, this translates directly to brand reputation. Additionally, companies increasingly tend to consider overall data management as a separate discipline, making sure information governance plays a central point, and not only comes to light where necessary to discuss either privacy or security issues related to such data. Depending on the industry, this is also important when considering risks and opportunities in how data are utilized.
Next comes funding, which is quite obvious. How much an organization can and is willing to spend on privacy matters to consumers, investors and market analysts. This is about having sufficient resources, including how a budget is spent in practice, how such expenditures translate into what is then presented as an outcome, and, last but not least, whether an organization is willing to invest in things such as privacy, considering both short-term regulatory requirements and long-term brand value.
It is still important if this is done solely with legal compliance in mind or if it's also built into products and services, which are privacy friendly and meet consumer expectations. The latter indicates a more strategic approach for investment and fund allocation, which is necessary for creating long-term value.
Information security is in focus under the GDPR and CCPA and maintaining an appropriate level of confidentiality, integrity and availability for the data in question requires a holistic approach. Cybersecurity, physical security, asset management and information systems classification are all considered important not only for auditors but for anyone interested in the situation of the given company. This topic, however, usually receives a lot of attention already as cyber risks and breaches of security easily hit media headlines.
Conclusions
It is difficult to measure brand reputation and ethics, but it does not mean they do not figure into a business's bottom line. They usually turn into real numbers when strategic decisions for the business are taken. This is where it should be demonstrated how CCPA and GDPR efforts contribute to mitigating brand reputation risks.
Also, whether a company treats emerging laws and regulations, such as the CCPA and GDPR, simply as a compliance cost or an opportunity to improve and create innovative services and products, it is an important message for investors and anyone interested in the value and prospects for a given brand.
Thus, your GDPR and CCPA privacy programs might be an important indicator of many organizational strengths and deficiencies. This also means that brand reputation risk can be better understood and managed if you leverage your privacy program and use the lessons learned while creating and implementing it.
At the same time, holistic brand reputation risk management is about many other areas that have little to do with privacy. Nevertheless, a comprehensive and working privacy program can be used as a first step to create holistic brand reputation risk management because it identifies some of the same important focus areas, covers all business processes and functions, and ties the overall process to managing external trust, with effective communication and transparency very much in the center.
Photo by Samuel Girven on Unsplash