It is nearly a year since GDPR became a reality. The General Data Protection Regulations came into force in May 2018, amid a great deal of fevered preparation, and speculation, about their potential impact on UK businesses.
Forbes reported that British firms had put the equivalent of $1.1 billion into preparing for GDPR.
Since last year, there is a view that certain companies have capitalised on GDPR, using it as a means of leveraging business out of others who are worried about the implications of the new regulations.
“Many organisations may be overlooking reputation when they assess their GDPR risk. Fines may be unlikely, or relatively small, but the reputational fall-out could be far more damaging.”
TalkTalk’s data hack is a lesson in point. The fines the company faced were small in comparison with its revenue, but the reputational damage was measured in withering headlines and bad publicity that lingered a long time afterwards.
The company’s own CEO suggested the one-off costs resulting from it could be up to £35 million.
Reputational damage is not a stand-alone loss, in the way that financial fines or penalties can be.
“On one hand the reputational risk from non-compliance is elusive, because it depends on so many factors, but on the other, it can be long-reaching, and include lost customers and investment, and higher borrowing costs impeding future growth.”
What might determine this kind of reputational damage?
“GDPR regulations have data protection and privacy at their core so the repercussions of failing to honour them are likely to be very public”
There are key GDPR components to do with management of personal data, identifying a lawful basis for processing it, and the conditions of obtaining an individual’s consent to do this.
“Increasingly, those businesses or organisations failing to comply with GDPR will be in the public eye and face clear-up costs. This will affect existing customers, but also prospective ones.”
The biggest consequence of this kind of reputational damage will be the breakdown of trust.
What is Trust Worth?
“In a digital economy, trust plays a critical role. Trust helps retain customers, who otherwise are a click away from taking their business elsewhere. What will a GDPR breach in the public realm do to this trust?”
Trust comes from careful brand-building and nurturing of relationships. Non-compliance resulting in a GDPR breach can quickly erode all this hard work, putting a business’s long-term future at stake.
“GDPR prompts two key questions of any business or organisation:
- Can people trust you with their data?
- Do you have the right measures, processes and procedures in place to maintain that trust?
In the longer term, paying a fine will seem of far less a consequence than trying to restore a damaged reputation due to non-compliance of GDPR. This is something TalkTalk is still trying to achieve, many years on.
“Do you think that clients won’t know whether you are compliant? Your website’s Privacy Notice is, in effect, a public advertisement on how well you manage personal data”
The potential cost of reputational damage is something that is hard to calculate, which makes it a business risk that’s not worth taking.
GDPR compliance, on the other hand, is something tangible that businesses can invest in, to protect themselves in the future.