Reputation management

There has been much talk in the PR/communications industry about GDPR, mostly concerning marketing and media relations from a compliance perspective. There has also been considerable discussion in the legal and cybersecurity worlds about what GDPR means for data breach reporting.

By contrast, there has been relatively little guidance on how communicators should prepare to handle data breaches under the EU’s tough new regulatory regime. Given the volume of high-profile breaches, widespread anxiety about privacy, and low levels of trust in companies, it is essential that companies get their communications response right.

GDPR notification and communications grey areas

The GDPR ups the ante significantly. Article 29 requires the mandatory notification to customers (in addition to regulators) of a data breach, data loss, or data leak within 72 hours if it is seen to pose a ‘high risk’ to the rights and freedoms of individuals in terms of identity theft or fraud, financial loss, damage to reputation, discrimination, or emotional distress.

Despite clarification from the EU Article 29 working party in the form of Guidelines of Personal Data Breach Notification (pdf), some operational, legal – and reputational – grey areas exist, notably concerning:

  • Timing – what constitutes a ‘reasonable’ degree of certainty that a breach has occurred
  • Level of risk – how to define that a risk to individuals’ rights and freedoms is ‘high’
  • Loss of availability – whether a breach is temporary, or permanent.

These grey areas, outlined in more detail in the slides below, may cause companies to delay or even avoid the disclosure of a known breach.


How PRs should prepare for GDPR

Here are five steps for PR/communications teams to prepare for the likelihood of having to respond to a data breach under GDPR:

  1. Understand GDPR and notification requirements, grey areas and best practices
  2. Educate leadership, legal, IT, security and other stakeholders about customer and stakeholder privacy needs and expectations; cyber/data breach reputation trends, risks and impact; and the role of communications in data breach preparation and response
  3. Ensure PR/communications is represented on relevant cybersecurity committees and teams
  4. Develop/update your corporate data breach response and crisis communications plans by assessing and prioritising different types of data breach risks to your organisation, including the reputational risks to your organisation, and for the individuals impacted; and developing communications plans for different types of breach
  5. Test and update these plans regularly – specifically data breach protocols and processes; messaging and content; your digital/social media dialogue and feedback capabilities; and leadership decision-making and team dynamics.

UK Infomation Commissioner Elizabeth Denham says the ICO will be proportionate in how the ICO levies sanctions and fines. Nobody wants a fine, yet the long-term reputational impact can be far more onerous.

Are you ready for a data breach? Test your reputational defences with Charlie Pownall’s Data Breach Preparedness and Response advisory and training services.

The reaction to Marriott International’s listing of Tibet, Hong Kong, Macau and Taiwan as separate countries on a rewards club survey demonstrates the double-edged nature of visibility and success in China.

Marriott has built a tidy business in China and it’s speedy and wholesome apologies may have dampened the furore a little. However, legitimate questions remain as to how the company allowed such a basic error to happen in the first place (it was apparently a supplier fault).

Nikkei Asian Review asked for my thoughts on how foreign organisations operating in China should prepare for the risks that come with the territory – some of which have been tackled previously on this blog.

Here is Nikkei’s article.

And below is my full response to the journalist – whose questions have been edited for clarity.

Do you think foreign companies are becoming more vulnerable to political mistakes in China with the popularity of social media and rising nationalist sentiment?

Foreign companies operating in China have long been exposed to rumour-mongering and allegations of various types, from poor product safety and customer service to unfair pricing, corruption, sexual misconduct and threats to security.

Social media certainly fans the flames faster and makes these kinds of accusations inherently more emotive.

Yet most of these accusations have been – and remain – tacitly encouraged or directly started by Beijing, often through the mainstream media, which gives them a high level of credibility, not least at a time when the nationalist pot is being actively stirred.

Do you think these companies are aware of the political sensitivity of certain topics in China? What most common mistakes they made besides categorising Taiwan, Hong Kong and Macau as countries? Can you give an example?

Most companies are aware of the many challenges of doing business in China and do their best not to cross political red lines such as Tibet, or to leave themselves open to accusations of discrimination against the Chinese people.

However, mistakes continue to be made.

Over-pricing and under-investment in customer service are common errors, leading foreign firms open to accusations of profiteering, ineptitude or arrogance.

And not instilling in foreign employees working in the country high standards of professional and personal behaviour can be a recipe for disaster – as Daimler discovered in 2016 when a senior executive was caught delivering a racist tirade against locals in a Beijing car park.

How can foreign companies doing business in China avoid political risks?

The huge size of China’s market, the unpredictability or Chinese consumers, and the opaque nature of much decision-making in the country means it is essential that companies operating in the country develop a close understanding of the local political, socio-economic, cultural and media context.

They must also proactively build relationships with the authorities and opinion-formers of different kinds.

China’s newfound significance on the world stage also poses risks. Like it or not, foreign companies need to appreciate that all their business activities – and not just those in China – are now more likely to be seen in a Chinese context, and that their foreignness will play out in any resultant incident or crisis in the country.

Accordingly, corporate governance at all levels must be increasingly sensitive to this new reality, and companies able to react quickly and appropriately when trouble happens.

A ruling that UK supermarket chain Morrisons is ‘vicariously’ liable for a payroll data leak of almost 100,000 staff by a disgruntled former employee has many legal ramifications. It also has significant potential reputational implications.

To reiterate: Aggrieved that he has been discovered running an eBay sales business through Morrison’s mailroom, then senior auditor Andrew Skelton copied and uploaded the salaries, bank details, national insurance information, postal addresses and telephone numbers of nearly 100,000 of his colleagues to a file-sharing website.

Three months later, seemingly unable to attract a buyer, Skelton sent the data to three newspapers (all of which covered the story but refused to publish the data). Within days, Skelton has been identified and arrested. He was convicted and imprisoned in July 2015.

5,518 current and former employees subsequently decided to take Morrisons to court in the first data leak class action in the UK and, in December 2017, they won on the basis of vicarious liability (in which Morrisons, as his employer, was seen to be responsible for Skelton’s actions as the data controller). The ruling is seen as unusual as the leak did not result in any reported concrete financial loss for employees.

Legal commentators have noted that while the ruling can be contested at Courts of Appeal (Morrisons have confirmed their intention to appeal), and compensation is yet to be determined, an increase in data privacy class actions in the UK and a rise in legal payouts is now possible.

The ruling also potentially poses greater reputational risks for companies suffering employee-driven data leaks, including:

  • The threat of significant negative media coverage as a result of class action litigation
  • Increased scrutiny from regulators, politicians and other decision-makers
  • The perception that leadership is insufficiently knowledgeable about and/or invested in IT/cybersecurity
  • The erosion of staff loyalty and the company’s ability to recruit new talent
  • Reduced customer loyalty and loss of sales.

As if they haven’t got enough on their plates with GDPR, the Morrisons data leak ruling adds to pressure on companies to:

  • Reinforce their overall IT/cybersecurity governance and management
  • Strengthen their Incident Response and Crisis Communications Plan(s) 
  • Enhance their leadership and employee data privacy communication, training and education programmes.

Plenty for communicators, as well as for company leaders, lawyers and IT/cybersecurity teams to sink their teeth into over the coming weeks and months.

Are you ready for a data breach? Test your reputational defences with Charlie Pownall’s Data Breach Preparedness and Response advisory and training services.

Once again, politics is the least trusted profession in the UK, according to Ipsos MORI’s latest Veracity Index. Just 17% of people trust politicians, who rank below footballers, journalists, estate agents in the Pinocchio rankings.


The recent tidal wave of allegations about sexual misconduct will not have aided their cause, nor will it have been helped by politicians like Roy Moore and Damian Green framing what they claim are untrue allegations about their own and their colleagues’ conduct as political – as opposed to personal – smears.

Of course, below-the-belt political jibes are par for the course in Westminster, Washington and elsewhere, especially when the heat is on, and are more or less expected of politicians. But even those who appear to have successfully (see my earlier post) repudiated claims about their conduct cannot resist poking the opposition in the eye.

Given the degree of public unease about the issue, profound disillusionment about the state of politics, and deep distrust in so many politicians, allegations of sexual misconduct of one sort or another – be they true or false – are an opportunity for public figures to connect with the general public on an issue people truly care about, and to rebuild some much-needed trust.




%d bloggers like this: