The General Data Protection Regulation grabbed the world’s attention with its unprecedented (potential) fines since it came into effect May 25. However, its true impact goes much further, as it also empowers the regulators to issue corrective actions that can in turn disrupt a company’s core activities. The reality now is that complying with privacy laws such as the GDPR plays an increasingly significant role in a company’s valuation.

In its simplest form, the valuation of the company is obtained by the sum of all revenue-generating activities less the sum of all revenue-reducing activities. Moreover, we need to consider valuation from several angles: during a merger & acquisition, an initial public offering (IPO) and as an individual investor.

When considering a M&A or IPO, valuation typically involves a more in-depth analysis. For example, a company may be requested to provide the evidence to support its projections, which in turn can affect the useful life of an asset or the discount rate of an asset. As an individual investor, valuation may be looking simply at the stock price. However, in all cases, when a financial penalty such as a fine is directly imposed on the company, this directly impacts the balance sheet of the company and reduces its valuation.

Consequences that impact revenue-generating activities

  • Temporary suspension of business.
  • Cessation of business.
  • Damage to stock price.

Consequences that impact revenue-reducing activities

  • Fines up to 20 million euros, or 4 percent of the global annual revenue of the prior financial year, whichever is higher, for charges under the GDPR.
  • Under other jurisdictions, the direct fine is typically up to $1 million.
  • Cost of investigation, incident response activities and implementing corrective action.
  • Cost of recovery.

What happens when a data breach occurs?

When a privacy breach happens, the media, especially the international media, is quick to report. This directly hurts the company’s reputation and lowers client trust, which can induce an exodus of clients and termination of contracts. As it involves personal data, the individuals affected have the right to sue the company. This will also trigger an investigation by the governing authorities — mandated in part by the 72-hour notification requirement under the GDPR — where a large group of people, including the senior management, will be required to stay grounded while the investigators visit and interview them.

If the company is a data intermediary to another company, a failure to demonstrate compliance thus directly affects its credibility and hence ability to perform its core activities. In turn, this could put the company out of business as current contracts may be voided and the company remains unable to take on new contracts. Should the company be found guilty or negligent in its privacy-compliance efforts, the company may face fines in each of the jurisdictions it operates in, which may result in hundreds of millions of dollars in fines, and in most Asian jurisdictions, jail terms.

Take for example, the recent Facebook-Cambridge-Analytica scandal.

In just two weeks, Facebook’s stock plummeted 18 percent, where an estimated $80 million was wiped off its market cap. In the ensuing months, Facebook continued to face fines in other countries, such as the U.K., where it has recently been notified by the Information Commissioner's Office that it intends to fine the company $500,000 GBP. Mark Zuckerberg, the CEO of Facebook, was even summoned to testify in front of U.S. Congress, where he made a slew of promises to fix the way Facebook handled personal data. Notably, he outlined the importance of privacy in his statement, “We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you." This goes to show that for data-centric companies like Facebook, an issue that severely affects user trust can affect its core business activities, thereby affecting the company’s reputation and reducing its value.

More significantly, Cambridge-Analytica, which harvested data from Facebook and used it to further its own business purposes, has now ceased its business operations worldwide. This goes to show that for companies whose core activities depend heavily on data, failure to comply with privacy laws could reduce the company’s valuation to the extent of threatening the company’s very existence.

You could be spending more on recovery and corrective activities when you fail to plan ahead

In its first-quarter earnings report, Equifax revealed it has spent $45.7 million on IT and data security and $28.9 million on legal fees, bringing the total amount it has spent since its September 2017 data breach to $242.7 million so far. It is important to note that the costs of post-breach activities would be correlated with the scale and nature of its operations, not the size of the company. In other words, a small company that focuses on data processing activities could face equal or even larger corrective costs if privacy was not afforded due consideration in the early stages of business preparation.

Thus, companies should consider setting a budget and should engage privacy professionals to review and design their processes, which could prove to be a cost-saving measure instead.

Privacy compliance can go both ways

From the accounting perspective, a company’s valuation is gauged by two key categories: tangible and intangible assets. Gartner Inc. predicts formal auditing practices and internal information valuation will take place by 2021, largely due to the rise of the importance of data in relation to business activities. Hence, under the current scope, a useful model would be valuing data assets as intangibles under the IFRS, where the useful life of an asset (in terms of revenue generation potential) and the discount rate of an asset are considered.

For instance, a company such as an e-commerce firm may project its earning potential from the revenue-generating tasks from processing personal data. Now, if the company did not have in place appropriate privacy measures, this could mean that the company would be ordered to suspend its online business. While this may not signal an immediate shutdown of the company, it will most likely cause companies to fall short of their targets. When this occurs, the company’s valuation will suffer a decline, as accountants may question if the data can indeed generate the entire projected value and if the company has provided an accurate estimate of the lifespan of the data.

On the other hand, with the rise of new privacy needs, companies may discover new revenue streams and new value propositions to their clients. For example, insurance companies have poured in significant efforts into cyber insurance to offer additional layers of risk management for companies. Device manufacturers are also increasingly keen to offer secure disposal services to their clients as demand for such ‘trust’ services surge. Therefore, privacy compliance need not be purely a "cost-center" activity, but through enhancing client trust, can likely bring about greater profitability to the company.

You have control over your company’s valuation

Failure to comply with privacy laws could severely reduce a company’s valuation. However, privacy compliance also builds up trust with clients, which may open up new client needs and boost the company’s profile, thus raising its valuation. Hence, companies  should view privacy compliance as a formidable asset and work with privacy professionals to capture the companies’ unrealized potential while protecting its realized value.

photo credit: Images_of_Money Lots of Euro Notes via photopin (license)