Fines are just the tip of the iceberg
When it comes to GDPR, everyone knows about the danger of fines. But, what about reputational risk?
Lately, the headlines have been rife with stories about companies suffering data breaches or misusing customer data. One of the more recent examples is Facebook’s announcement that up to 87 million people’s data may have been improperly shared with Cambridge Analytica. The reality is that data breaches have become a wide-reaching problem, with 43% of UK businesses having identified a data breach in a recent survey.
The Cyber Security Breaches Survey highlighted that it wasn’t just large or tech organisations that were affected. Micro and small businesses made up 40% of the overall figure, and around half were businesses who say online services are not core to their business. This opens the wider issue of ensuring that data and information is protected, regardless of size or industry.
It’s also important to remember that a data breach doesn’t always occur in the form of a hacker breaking in to your systems. A breach can be as simple as a member of staff accidentally deleting a file that contains Personally Identifiable Information, or a company being unable to fulfil a Subject Access Request.
Organisations owe it to their customers to protect their data as if it were their own. When trust is broken, it can take years to build it back up, if at all.
Of course, it’s important to consider the financial implications of a data breach, but, with every data breach required to be reported to the ICO, fines are just the tip of the iceberg.
Facebook, for example, saw stocks plummet 14% in the aftermath of the Cambridge Analytica scandal as investors worried that users and advertisers may be scared away from the brand. And, once the headlines broke, the hashtag #DeleteFacebook went viral, encouraging users to delete their accounts in protest of the mishandling of information.
Deloitte refers to operational challenges and reputational risk as ‘Below the surface’ costs; that’s lost contracts and customer relationships, increased insurance premiums, and even devaluation of trade name.
So, an organisation may not feel the full force of a data breach for years after the incident takes place, meaning the damage is already long done, and sometimes irreparable.
The Cambridge Analytica scandal resulted in respondents to a March survey giving Facebook’s leadership and trust a score of just 22%, down from 45%. The data shows that ethical challenges (such as not protecting user’s data) can make it much harder for organisations to regain trust, than other issues such as quality control.
“In the case of Facebook, the data breach caused their overall reputation to drop by 10% in just three months, but even more worrying is the decline in the public’s perception of Facebook’s leadership and trust.” – John Gerzema CEO, Harris Poll
While organisations can take steps to limit the risk, no organisation can ever be 100% safe from a data breach. Managing data security should be an essential part of your corporate strategy, and processes, people, and systems should be consistently reviewed to mitigate the risk of a data breach.