The unusual couple: how data privacy and GDPR can advance CSR efforts

The introduction of EU General Data Protection Regulation (GDPR) over two years ago set the new standard for the protection of personal data laws across the globe. Several countries in the Asia Pacific region, such as Malaysia, Singapore, and Thailand, have amended their local regulations, by either borrowing various concepts from the GDPR or strengthening current laws to protect consumers.

While companies were able to minimise impact to consumers in adhering to GDPR standards, the impact to the enterprise is different. One by-effect of the data privacy laws evolution, has been a wide-scale transformation of how information is managed in the enterprise. Major overhauls of underlying systems are costly and challenging, from both a technological and a cultural perspective.

Despite these challenges, these efforts to manage information digitally and securely will serve to drive value for a business - greater operational efficiency, revenue-generating capacity for new insights for their businesses.

Data privacy driving benefits

A lesser known upside to this transformation is the business benefit of companies associating data privacy initiatives with broader goals of corporate social responsibility (CSR). CSR, like data privacy, is becoming increasingly central to how companies differentiate themselves in the market. On occasion, we have seen data privacy and CSR align, not just in policy but in behavior.

A good early example is the Heartland Payment Systems data breach in 2008. The sixth-largest payments processor in the US became a victim of a massive breach which affected undetermined number of consumers. By going beyond their mandatory legal requirements, the company made details of the attack public, helping competitors in the industry to protect themselves against similar incidents.

A NEWSLETTER FOR YOU

Friday, 8.30 am

Asean Business

Business insights centering on South-east Asia's fast-growing economies.

Sign Up

While Heartland Payment Systems does not have presence in this region, the lesson learned from its incident is one that is universally relevant, even in today's context. The data breach was soon overshadowed by a series of positive developments - the company chose to be fully transparent in the disclosure process, followed by significant efforts in educating consumers-even competitors-on data privacy, and starting valuable dialogues in the aftermath. Most importantly, the company was able to rebuild its reputation by showing consistent commitment to improving security standards - a unique turn of events that demonstrates the topic we are exploring here.

Heartland Payment Systems both generated goodwill in this instance and helped to make payments processing a safer industry. Aligning data privacy with CSR, such as public-facing CSR declarations or publicising data privacy initiatives, helps to shift perception that data privacy can be used to advance a business's responsibility to its community.

The misalignment between responsibility and privacy

While there are several benefits to aligning data privacy with CSR efforts, in practice, only a few companies make an explicit link between privacy and responsibility. This is not surprising as a data breach - especially a significant one that garners media attention - puts organisations in a negative spotlight which have potentially damaging impact to a brand's reputation. When such high-profile breaches occur, many organisations quickly shift their focus on cleaning up the mess and moving on, instead of operating on privacy-first principals and leveraging the situation for the greater good.

As survey after survey points that consumers care deeply about the privacy of their data and will react badly to any breach or mishandling of it, we might reasonably wonder: why does this gap in organisations' behaviour towards data breaches exist?

One reason might simply be that, as much as an average consumer might care about privacy in principle, in practice the issue is too complex and confusing to effectively act upon. Research from Kaspersky showed that 83 per cent of respondents make up their own passwords, without using password generation tools and almost half never check if their passwords have been stolen. In APAC, more than 20 per cent of respondents are willing to offer up their personal details in exchange for free products or services, while another 24 per cent would be prepared to share their social media account details to participate in fun quizzes. Perhaps most significantly, from a CSR perspective, only a third of people read end user license agreements before agreeing to them.

The difficulty of engaging directly with the various privacy policies of the wide array of businesses we interact with on a daily basis means that consumer attitudes towards how those businesses deal with privacy is less a matter of policy and more a matter of perception and reputation.

When asked, consumers tend to rank banking and healthcare as relatively trustworthy sectors when it comes to privacy, even though data from European GDPR regulators suggests that their performance in this regard is generally no better or worse than other sectors. Social media, meanwhile - where we perhaps place more personal data than anywhere else - ranks low on trustworthiness. Recent news suggests that this lack of trust may be having consequences on those companies' standings.

Looking to the future of responsible privacy initiatives

There is, then, a gap between CSR and data privacy which feels likely to close at some point in the not-too-distant future. It is easy to see how doing so can result in benefits for enterprises, their customers, and their business partners. For enterprises, supporting marketing efforts with proactive and overt indications of how personal details are collected and applied could help to generate a CSR-halo effect of positive customer feeling. For customers, data privacy-led CSR might mean offering privacy health checks, providing clear guidance to make their data safer and privacy protection less confusing. For B2B partners, support can be offered through a data privacy value chain with open standards and shared resources.

With new information management process being introduced at significant cost, companies are looking for return-on-investment. Return will be found in the fact that these processes are opening the door to effective CSR action on privacy. But most importantly, businesses will hopefully reach a logical conclusion that managing data safely is part and parcel of making the world a better place.

The writer is president, Asia Pacific and Japan, at Micro Focus.