A brief overview of risks and opportunities associated with taking a privacy-first approach with your prospects and clients.
Data privacy and protection have come to the forefront of risk and compliance discussions among business leaders and around the boardroom table. This is understandable, given the significant fines and reputational damage companies may incur if they mishandle personal information.
If your organization is processing personal information, which depending on the jurisdiction, may include names, birth dates, social security/insurance numbers, work email addresses, IP addresses, biometrics, or any other information that is linkable to an individual, such as medical, education, financial, or employment data, these risks may apply to you.
Regulatory and Financial Risk
The introduction of the General Data Protection Regulation (GDPR) in 2016 established the high-water mark for data privacy regulations, applying new rules for organizations processing data for people in the EU. Fines for those that don’t comply can be as much as €20 million or 4% of global revenue (whichever is greater).
Since GDPR enforcement began in 2018, over €1 billion (USD 1.2 billion) in regulatory fines have been issued to companies ranging from start-ups to large multinationals. These fines are only the tip of the iceberg, as regulatory violations have ushered in a wave of civil litigation claims, often more costly than the fines themselves. In cases where an alleged violation could damage a company’s reputation, appealing a regulatory decision can attract even more negative attention. It is a slippery slope.
According to a recent report from Gartner, over 100 modern data privacy laws are in place globally, covering approximately 10% of the world’s population. By 2023, Gartner projects that coverage will increase to 65%, creating massive challenges for organizations with data subjects (i.e., prospects, clients, tracked website visitors) in those jurisdictions. Adding to the complexity, these laws are often applied at a local state or provincial level and sometimes differ by industry.
Some U.S. states have introduced modernized privacy laws, including California, Colorado, and Virginia. Ohio and other states are expected to do the same over the coming months. Canada’s Bill C-11, an Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act, was under review prior to the dissolution of Parliament for the federal election. It proposed GDPR-like rules and fines of up to 5% of a company’s revenues or $25 million (whichever is greater). Frustrated by the speed at which the federal government is moving, Quebec and other provinces have signaled their intent to enact their own modernized privacy laws.
Privacy as a Business Advantage
Some companies are recognizing data privacy and protection goes well beyond regulatory compliance, which should be viewed as a baseline requirement.
Take Apple, for example. The company’s CEO, Tim Cook, was recently quoted as saying that privacy was one of the “top issues of the century.” Apple’s privacy-first approach now permeates throughout its product development, client engagement, and marketing efforts. And in typical Apple fashion, they have tapped into the hearts and minds of their customers, which will undoubtedly pay dividends well into the future.
The positive impacts of emphasizing data privacy and protecting personal data are numerous. Here are a few of the main benefits to organizations that take a privacy-first approach with their clients:
- Build a Trusted Brand:
A recent study from McKinsey revealed that customers generally do not trust companies with their data. Two sectors, Healthcare and Financial Services achieved the highest trust scores — at only 44%. Trust scores in other industries were much lower — only 10% of those surveyed said they trust consumer-packaged goods or media and entertainment companies with their data. Because the bar for trust is set so low, the opportunity for enhancing customer trust through taking a privacy-first approach is significant.
- Win and Retain Business:
Building customer trust often has a direct impact on sales and account retention. As businesses seek to secure their supply chains and are more cautious about whom they do business with, security questionnaires and data processor agreements have become more commonplace. If your organization isn’t taking privacy seriously, your customers will do business with another company that does.
Those that cannot satisfy cyber and data security requirements demanded by their customers are increasingly at risk of losing business.
- Mitigate Data Breach Risks:
Companies that mismanage personal information are often exposed after a data breach, which can sometimes lead to significant reputational and financial harm. A survey conducted by global security firm RSA found that 69% of respondents would blame the company above anyone else (even the hacker) if a data breach occurred. Also, 71% said they have boycotted/would boycott a company that showed no regard for protecting consumer data.
Organizations that fail to comply with data protection regulations may also be vulnerable to the most severe fines, lawsuits, and potential director liabilities. By implementing best practices for data protection, risks associated with data breaches can be dramatically reduced.
Engage a Data Privacy Expert for Help
Let’s face it, properly addressing data protection and compliance is complex, and it’s not going to get any easier. This is particularly true for small and medium-sized organizations which lack the resources to hire dedicated privacy professionals.
Vayle can help. Schedule a no-obligation consultation with one of our Data Privacy Advisors today.