Published on Nov 15, 2021
A good reputation is everything in business. This statement couldn't be more relevant in today's always-on culture, where the slightest misstep can have a devastating effect on how your brand is perceived. Whether you like it or not, customers pay close attention to what you do and choose to act (or not) based on what they see or hear about your brand. In commercial terms, breaking hard-earned trust can slow customer purchases entirely.
As Benjamin Franklin said: "It takes many good deeds to build a good reputation, and only one bad one to lose it."
While negative publicity due to an unforeseen or uncontrollable event can happen at any time, reputation management is often (wrongly) perceived as a reactive tactic that brands use after the event. In reality, companies of all sizes should take proactive measures to protect their reputation to ensure customers or service users continue to trust them.
One area where consumer trust and brand reputation are becoming increasingly interconnected is privacy management.
How organisations deal with privacy laws such as the UK general data protection regulation (GDPR) can significantly impact reputational risk. For instance, the link between failing to put appropriate levels of protection in place to prevent the loss of personal data and the erosion of consumer trust following a data breach is well documented.
If reputation management is one of the most important risk areas, leveraging your existing privacy management programme can be a positive step towards a comprehensive risk management strategy.
Building and demonstrating robust GDPR compliance requires an ongoing commitment that involves placing data ethics ahead of short-term profits. In doing so, you demonstrate your trustworthiness as a business by respecting consumer privacy, being transparent and living up to promises about your data processing operations.
So, where do you start?
Privacy and how you handle personal data relates to almost every business function. Identifying, managing, and controlling different processing activities says a lot about your company, your culture, and the maturity of your GDPR compliance programme. At the very heart of this sits data protection by design and default.
Although the GDPR requires you to incorporate data protection concerns into all processing activities, the origins of data protection by design and default date back to the mid 1990’s.
Privacy by design (PbD) was initially developed by Ann Cavoukian and discussed in a joint report on privacy-enhancing technologies by the Information and Privacy Commissioner of Ontario (Canada), the Dutch Data Protection Authority, and the Netherlands Organisation for Applied Scientific Research in 1995. The Privacy by Design framework was published in 2009 and then adopted by the International Assembly of Privacy Commissioners and Data Protection Authorities in 2010.
It contains seven foundation principles:
Cavoukian's approach led to a new way of integrating privacy into products, business processes, and policies. The core ethos is that privacy measures should be implemented at the start of a project or policy rather than hastily bolted on at the end. Today, we see data protection by design as a way to develop products, services or solutions where privacy is considered throughout the product's lifecycle.
The Information Commissioner's Office (ICO) defines data protection by default as:
To achieve data protection by default, you must ensure:
Articles 25(1) and 25(2) of the GDPR outline your obligations concerning data protection by design and by default.
Article 25(1) states what is required for data protection by design:
Article 25(2) specifies the requirements for data protection by default:
Article 25(3) also states that if you adhere to an approved certification under Article 42, that you can use this as means of demonstrating your compliance with these requirements.
Below are a series of tips for developing trust through privacy and data protection by design and default:
Although the responsibility remains with the controller, you should also ensure supply lines are considered as part of your design and default framework. New research shows a whopping 97% of companies surveyed had been negatively impacted by a cybersecurity breach that occurred in their supply chain.
For more information read the detailed guidance produced by the ICO.
The latest 2021 Consumer Privacy Survey from Cisco is aptly titled Building Consumer Confidence Through Transparency and Control. It reveals 86% of respondents said that they care about their data privacy and want more control over their data. A further 79% said they are willing to spend time and money to protect data, that privacy is a buying factor, and that they expect to pay more to protect their data. Meanwhile, 47% have acted and switched companies or providers over data policies or data sharing practices.
The above statistics certainly help establish a business case supporting the implementation of data protection by design and default. Furthermore, the strategic advantages of a robust privacy management programme are substantial. They range from reduced sales cycles to increased customer trust and brand loyalty. And, of course, they mitigate against the losses from potential breaches of personal data.
As a training provider, Freevacy recommends the BCS Practitioner Certificate in Data Protection along with the IAPP Certified Information Privacy Professional Europe (CIPP/E) and Certified Information Privacy Manager (CIPM) certified training courses, which when combined will provide the required knowledge to ensure data protection by design and default is implemented successfully.
COVID-19: FLEXIBLE, LIVE ONLINE BCS & IAPP TRAINING NOW AVAILABLE - PLEASE CONTACT FOR DETAILS