Archive

Corporate communications

Complex, technical and emotive, data breaches are tough communications and reputational challenges at the best of times.

The EU’s GDPR ups the ante. Not only does it raise the prospect of bigger fines but it increases the likelihood of greater legal liability and reputational damage.

Widely regarded as the gold standard for data privacy across the world, GDPR is being adopted by many countries and regions, including the Asia-Pacific Economic Cooperation.

What does the GDPR mean for business leaders, communicators, risk managers, lawyers and others preparing for tougher data privacy laws across Asia and responding to data breaches in the EU?

Here are some important principles to bear in mind:

Take swift, decisive action to address the problem 

Companies have no option other than to move fast under GDPR. There are only 72 hours to establish what has happened, assess the likely damage, notify the regulator(s) and communicate with those impacted can seem like precious little time, especially when the facts remain unclear.

Notification and communication can appear especially daunting when the hole remains open and the facts are unclear. Yet, the quicker a company moves to fix the hole and the more decisively it does it, the more likely it will be able to limit the actual and potential damage and rebuild confidence.

Err on the side of caution, but do not panic

It is easy to feel like you are being press-ganged into publicly disclosing a data breach. In fact, not all breaches need to be reported to the regulator, and some don’t need to be reported within 72 hours.

Some breaches do not pose a high risk to those impacted, while others may be considered temporary. In some cases, the data involved is unintelligible and/or already in the public domain, in others, the effort involved in notifying the regulator may be considered disproportionate to the actual or likely damage.

In such instances, a company may choose to inform the customer of an incident without notifying the regulator or making a public statement—provided it is confident it is on a safe footing legally.

However, generally, it is best to err on the side of caution and report a breach to the regulator. If one is unclear, information regulators will generally advise whether it needs to be reported. They may also provide guidance on whether it should be communicated with those impacted.

That said, there may be some instances in which you feel it is more important to communicate immediately with those impacted, before notifying the regulator. For example, where the data involved is extremely sensitive, or where a supplier processing data for a business customer is breached.

There are also good reasons to be wary of going straight to the data subject. Customer and stakeholder expectations vary widely on data privacy and, in the wake of an incident, their behaviours can conflict. And news of a breach typically becomes public as soon as it has been communicated with those impacted.

Whichever route you choose, it is usually best to err on the side of caution. There’s no need to panic.

Be open and honest

The GDPR and emerging data privacy policy frameworks are fundamentally about transparency and trust, with organisations expected to be open and honest about data privacy in general and data breaches specifically.

EU information regulators have said they will take seriously anything that puts these twin principles into jeopardy and that they are willing to expand investigations beyond assessing IT/cybersecurity governance and controls to testing compliance in areas like technical competence and education and training.

The same goes for customers in Asia, who increasingly expect organisations to be honest about their shortcomings and to move quickly when something goes wrong.

Consider carefully how those impacted might be affected

Understandably, company leaders and executives fret primarily about the sensitivity and volume of data involved in a breach and what it means for the well-being of their employer. But it is just as important to pay close attention to those impacted and to the context in which the incident has occurred.

In August 2018, British Airways suffered a major breach involving the personal and financial details of over 500,000 customers. Despite no evidence of fraudulent financial activity at the time, British Airways quickly appreciated that the potential for lasting reputational damage was significant, given the large number of payment card and CVV numbers involved.

British Airways CEO Alex Cruz apologises to customers for the airline’s data breach

Hence the airline’s decision when it acknowledged the breach to offer compensation to customers for any financial hardship suffered—a promise that may result in significant payouts and higher insurance premiums going forward. The decision almost certainly also took into account the overwhelmingly negative reaction to the airline’s 2017 IT systems outage.

Consider carefully the needs and expectations of those impacted, the degree of external and internal scrutiny the incident attracts, your firm’s historic reputation, perceived culpability and other factors when you respond to a breach.

Don’t walk away

From a communications perspective, it is tempting to treat a breach as a one-off negative event to be resolved with a little timely public grovelling.

This is a mistake.

Nowadays, people take naturally to social media to vent their experiences and concerns, which can easily spiral into secondary news stories. Leaks are common, and breaches easily bleed into other business issues, thereby aggravating the situation and elongating the news cycle.

Worse, GDPR means regulatory investigations, fines and litigation are more likely, resulting in additional negative publicity. In the process, you may also come under greater pressure to publish internal and expert investigative reports.

It is important to understand that a breach is often just the start of the reputational battle, and that you must stay – and be seen to stay – the distance in all facets of your response if you are to have any real chance of success. 

Align your response

The messiness and complexity of data breaches and the need for different business units to be involved in the response can result in sloppy, inadequate, or inconsistent communications.

Given the expanded legal obligations under GDPR, the likelihood of the emergence of equivalent regimes across Asia and heightened public awareness of data privacy rights, it is particularly important that companies’ legal and communications responses are properly aligned.

Legal and communications teams can sometimes be at loggerheads, so this is not necessarily as straightforward as it sounds. It need not be difficult. Unlike in a court of law, in the court of public opinion, a business is presumed guilty until it proves its innocence.

This doesn’t just mean one should be as open and honest as possible and that one’s rhetoric always meets reality. It means that a company must look at the wider picture, avoid inappropriate legal threats, actions, and lawyerly sounding statements, and apologize sincerely when it is at fault.

By following these principles, you will be less likely to botch your business and communications response to a data privacy incident.

More important, you will be in a much better position you to persuade your customers and others that you are acting in their best interests.

This article was first published on BRINK Asia

© Charlie Pownall/CPC & Associates 2012-2019 | Terms | Privacy policy

An article in yesterday’s New York Times on General Motor’s use of social media to respond to its ongoing ignition switch crisis raises an interesting question: why, when the mainstream media, the company’s Facebook page and other online channels are full of complaints has its broader online reputation barely been impacted (according to data from Crimson Hexagon)?

General Motors ignition recall crisis social media

If you were in GM’s shoes, which would you regard as the more accurate and useful reflection of its corporate reputation at this tricky time: online reputation or mainstream media coverage (irrespective of concerns about the quality of social media sentiment data – though, to be fair, it is in my experience better than most at Crimson Hexagon)?

Social media’s role as a real-time focus group of thousands sounds valuable and useful.

Your online reputation, after all, is your reputation.

Or so it is said.

But whilst this is a nice marketing phrase, it is also highly misleading.

Here are six reasons why online reputation needs to be treated with caution as a measure of broader reputation:

  1. Reputation is the sum of how many different stakeholders, from customers, employees and investors to government, investors and suppliers, view a company
  2. These stakeholders often have different interests and talk about different topics in relation to the company
  3. A company’s online reputation is almost always dominated by discussions by customers and prospective customers about its products, especially if it is a consumer goods or services player
  4. While many customers now like to communicate with companies via social media, the great majority still prefer to use conventional channels such as call centres to register and resolve customer care queries and complaints, meaning many negative perceptions never make it online
  5. Some stakeholder opinions are rarely voiced in social media. When was the last time you heard a high-level regulator actively discussing a company on Facebook? Ditto for pension fund managers or buy-side analysts on Twitter?
  6. The relative importance of different types of stakeholders varies over time. During its current recall crisis, GM’s core audiences will be the government, its customers and investors, and it is on them that it is most likely focused as an organisation.

‘Online reputation’ (however measured) is a reasonable and timely indicator of a firm’s broader reputation from a customer or general public perspective. 

But it should not be treated as an accurate or comprehensive reflection of the full range of views or, necessarily, of the relative importance of different stakeholders to that organisation, at any given time.

In this regard, mainstream media is often a more useful gauge of non-customer stakeholder audiences, including government and business opinion-formers.

Companies would do well to listen closely to both social and mainstream media for different if complementary reasons.

 

Public relations is fifteen times (pdf) more effective than advertising. And at least 95% of public statements and PR pitches end up as email detritus, spiked by hard-pressed or incredulous journalists or funnelled down the black hole of news aggregation services.

Why?

After all, much of the paraphernalia of today’s PR practitioners – press releases, media advisories, backgrounders – are carefully scripted, on message, and pour out of corporate offices and PR agencies like streams of confetti.

Sounds like music to journalists’ ears.

The reason, according to Alex Singleton in his new book The PR Masterclass, is that most PR pitches fail to understand the needs of journalists – story ideas that grab their readers’ attention.

The PR Masterclass, by Alex Singleton

Singleton should know. A former journalist at The Daily Telegraph and Mail Online, he would have developed an instinct for what his readers were interested in, the kinds of stories that would grab their attention and what constitutes successful, and ineffective, PR.

The PR Masterclass is studded with examples of good, bad and ugly PR, from a local tea blender on the south coast of England wooing the BBC by creating the world’s largest tea bag, to Whitehall departments refusing to pass on interview requests to their political bosses and a top global bank attempting to spin layoffs as ‘repositioning actions to reduce expenses’.

For those of us who have worked in journalism much of this sounds familiar, a good deal of it depressingly familiar.

But while this book is notable for the thoroughly practical way it sets out how to develop newsworthy story ideas, maintain a effective list of journalists, write and pitch press releases, run an effective press office and many other PR basics, what sets it apart is its refusal to succumb to the disease of many business books: a delight in pointing out what is challenging or wrong but providing all too few actionable solutions.

And here the solutions are set out in technicolour detail. How to write a press release headline and build an effective media list. Why anonymous letters can work for personal finance sections of newspapers but not for general readers’ letters. Why most newswire services are a waste of money, but which are worth their salt. And so on.

Arguably, The PR Masterclass suffers from a couple of limitations.

First, it is written from an (unashamedly) western perspective. But while building strong relationships with journalists is central to PR anywhere, a well-trodden path to media coverage in China (and plenty of other emerging markets) is to pay the journalist and/or buy advertising space.

The book also takes a fairly narrow view of PR, centred on media relations. Singleton argues persuasively that the conventional media still matters, despite all the talk about social media.

I concur.

But what constitutes mainstream media has now expanded significantly, with some blogs rivalling the online efforts of major broadcasters and newspapers.

The Business Insider now has a higher readership than the Wall Street Journal.

And as Ryan Holiday has pointed out, these organs can operate by very different rules and demand a muscular and visual approach to PR.

Nonetheless, neither seriously detract from a highly readable and eminently useful addition to the PR canon, and one which should be required reading not just for communications students but for any organisation that wants to get its message out credibly and persuasively.

 

Disclosure: I was provided with a review copy of The PR Masterclass by Wiley

%d bloggers like this: