Not that these two views are necessarily mutually exclusive.
Early social media strategy
Initially, many companies took to social media to increase
reach and build buzz. A sale or two might even be recorded.
There were competitions and promotions galore, and plenty of grinning
employee photos and CSR fluffiness to make people feel well disposed.
Lo and behold, follower and ‘engagement’ rates rose and management
was delighted. Now we’re onto something, they figured.
The trouble was that they didn’t really know who was signing
up or why they were doing so. And, frankly, they didn’t much care as long as
the numbers continued to travel in the right direction.
So email addresses and telephone numbers were amassed, channels
proliferated, customer segments segmented, and ‘conversations’ sparked.
Customers appreciated it for a while. It was fun and involving and every now and again you might receive a free bar of soap or a voucher for a half pint of Tennent’s – provided you told your friends about it.
A sting in the strategic tail
Unsurprisingly, things then rather quickly became distracting
and tedious and occasionally menacing.
Promotions and content, even when they were properly considered
and delivered, easily became lightning rods for discontent, their sponsors oblivious
to the fact that the customer wants to use social media for real interaction, a
true conversation, a proper peek into the soul of the company.
What does the GDPR mean for business leaders, communicators, risk managers, lawyers and others preparing for tougher data privacy laws across Asia and responding to data breaches in the EU?
Here are some important principles to bear in mind:
Take swift, decisive
action to address the problem
Companies have no option other than to move fast under GDPR. There are only 72 hours to establish what has happened, assess the likely damage, notify the regulator(s) and communicate with those impacted can seem like precious little time, especially when the facts remain unclear.
Notification and communication can appear especially daunting when the hole remains open and the facts are unclear. Yet, the quicker a company moves to fix the hole and the more decisively it does it, the more likely it will be able to limit the actual and potential damage and rebuild confidence.
Err on the side of caution, but do not panic
It is easy to feel like you are being press-ganged into publicly disclosing a data breach. In fact, not all breaches need to be reported to the regulator, and some don’t need to be reported within 72 hours.
Some breaches do not pose a high risk to those impacted, while others may be considered temporary. In some cases, the data involved is unintelligible and/or already in the public domain, in others, the effort involved in notifying the regulator may be considered disproportionate to the actual or likely damage.
In such instances, a company may choose to inform the customer of an incident without notifying the regulator or making a public statement—provided it is confident it is on a safe footing legally.
However, generally, it is best to err on the side of caution and report a breach to the regulator. If one is unclear, information regulators will generally advise whether it needs to be reported. They may also provide guidance on whether it should be communicated with those impacted.
That said, there may be some instances in which
you feel it is more important to communicate immediately with those impacted,
before notifying the regulator. For example, where the data involved is
extremely sensitive, or where a supplier processing data for a business
customer is breached.
There are also good reasons to be wary of going
straight to the data subject. Customer and stakeholder expectations vary widely
on data privacy and, in the wake of an incident, their behaviours can conflict.
And news of a breach typically becomes public as soon as it has been
communicated with those impacted.
Whichever route you choose, it is usually best
to err on the side of caution. There’s no need to panic.
Be open and honest
EU information regulators have said they will take seriously anything that puts these twin principles into jeopardy and that they are willing to expand investigations beyond assessing IT/cybersecurity governance and controls to testing compliance in areas like technical competence and education and training.
The same goes for customers in Asia, who increasingly expect organisations to be honest about their shortcomings and to move quickly when something goes wrong.
Consider carefully how those impacted might be affected
Understandably, company leaders and executives fret primarily about the sensitivity and volume of data involved in a breach and what it means for the well-being of their employer. But it is just as important to pay close attention to those impacted and to the context in which the incident has occurred.
In August 2018, British Airways suffered a major breach involving the personal and financial details of over 500,000 customers. Despite no evidence of fraudulent financial activity at the time, British Airways quickly appreciated that the potential for lasting reputational damage was significant, given the large number of payment card and CVV numbers involved.
Hence the airline’s decision when it acknowledged the breach to offer compensation to customers for any financial hardship suffered—a promise that may result in significant payouts and higher insurance premiums going forward. The decision almost certainly also took into account the overwhelmingly negative reaction to the airline’s 2017 IT systems outage.
Consider carefully the needs and expectations of those impacted, the degree of external and internal scrutiny the incident attracts, your firm’s historic reputation, perceived culpability and other factors when you respond to a breach. nsider carefully the needs and expectations of those impacted, the degree of external (and internal) scrutiny the incident attracts, your firm’s historic reputation, perceived culpability and other factors when you respond to a breach.
Don’t walk away
From a communications perspective, it is
tempting to treat a breach as a one-off negative event to be resolved with
a little timely public grovelling.
This is a mistake.
Nowadays, people take naturally to social media to vent their experiences and concerns, which can easily spiral into secondary news stories. Leaks are common, and breaches easily bleed into other business issues, thereby aggravating the situation and elongating the news cycle.
Worse, GDPR means regulatory investigations, fines and litigation are more likely, resulting in additional negative publicity. In the process, you may also come under greater pressure to publish internal and expert investigative reports.
It is important to understand that a breach is
often just the start of the reputational battle, and that you must stay – and be seen to stay – the distance
in all facets of your response if you are to have any real chance of
Align your response
The messiness and complexity of data breaches and the need for different business units to be involved in the response can result in sloppy, inadequate, or inconsistent communications.
Given the expanded legal obligations under GDPR, the likelihood of the emergence of equivalent regimes across Asia and heightened public awareness of data privacy rights, it is particularly important that companies’ legal and communications responses are properly aligned.
Legal and communications teams can sometimes be at loggerheads, so this is not necessarily as straightforward as it sounds. It need not be difficult. Unlike in a court of law, in the court of public opinion, a business is presumed guilty until it proves its innocence.
This doesn’t just mean one should be as open and honest as possible and that one’s rhetoric always meets reality. It means that a company must look at the wider picture, avoid inappropriate legal threats, actions, and lawyerly sounding statements, and apologize sincerely when it is at fault.
By following these principles, you will be less likely to botch your business and communications response to a data privacy incident.
More important, you will be in a much better position you to persuade your customers and others that you are acting in their best interests.
Since the start of the yeara rumour has been swirling that Facebook has been using a then-and-now facial recognition photo-sharing challenge to collect data about users and improve its AI algorithms. The social network denies it started or is involved with the challenge.
That people suspect Facebook of being involved, and that the rumour went viral, is indicative of the suspicion with which the company is held since its flaccid approach to privacy became widespread public knowledge.
Multiple data privacy violations
These suspicions are not new. There was the row over Facebook’s Beacon user-tracking service in 2007, concerns about facial recognition, a bungled psychological experiment into the moods of its users, and run-ins with the US FTU, ACLU and privacy commissioners in multiple jursidictions over many years.
According to Google, there has been considerable public interest in privacy (mostly as a proxy for internet and/or data privacy) for many years.
Facebook had plenty of time to tackle the problem and prepare a meaningful response. The Guardian’sinitial story in December 2015 about the covert harvesting of user data by Cambridge Analytica did not ignite until whistle-blower Christopher Wylie lifted the lid on Cambridge Analytica twenty-six months later.
Yet they did little to address the core of the privacy issue, Mark Zuckerberg disappeared as soon as the story ran, and Facebook’s value dropped USD 119 billion in a single day. Zuckerberg hardly helped matters by refusing to appear before the UK DCMS Enquiry into Disinformation and ‘Fake News’.
How did Facebook fail to anticipate a major privacy crisis when the writing had been on the wall for so long? Were its leaders truly ignorant and out of touch, or simply failed to act substantively on the many warning signs? Why did they behave the way they did? Was Facebook’s experience isolated, or consistent with other reputational meltdowns?
Reputation risk management
These are the kinds of questions posed by lawyer Anthony Fitzsimmons and insurance expert Derek Atkins in their book Rethinking Reputational Risk, in which they get to practical grips with the notoriously knotty, slippery topic of reputation risk management.
Drawing on analysis of recent high profile crises such as BP’s Deepwater Horizon spill, Barclays’ LIBOR rigging, Tesco’s false accounting, and the VW diesel emissions scandal, the authors argue that the problem lies in the complexity of many modern businesses, the emergence of multiple online ‘unseen systems’, fast-changing stakeholder behaviours, inadequate listening, issues management and crisis preparedness, and an unwillingness to get to the root problem of problems and failures, chiefly due to over-confidence, complacency and hubris.
All this sounds familiar. But the book comes into its own when it addresses the failure of ‘classical’ risk management and the three/four line of defence model, which is regarded as overly rigid and ill-suited to handling the many and varied behavioural risks, from weak culture and values and inappropriate incentive schemes, to the blurring of personal and professional lives and the character and personality traits of senior leaders.
The authors rightly argue that reputation risk is first and foremost a leadership responsibility, and too often it is at Board level that things fall down. Board failures were involved in 50% of the 42 crises studied.
Because Boards are essentially self-selecting, and overly reliant on people with financial and operational experience, as opposed to the forensic, analytical, behavioural and digital skills that are required in today’s globalised, networked and inherently volatile economies. There is much in this.
Since concerns about Facebook’s approach to privacy first started emerging several years before its murky dealings with Cambridge Analytica came to light, Mark Zuckerberg and Sheryl Sandberg have admitted that they should have taken user privacy far more seriously.
The important question on why they didn’t heed the warning signals earlier appears to have a single plausible answer: user privacy was regarded as a price worth paying for growth, and they would make the most of it while the sun shone and regulators, politicians, customers and the general public had more important fish to fry.
Mark Zuckerberg may insist he is personally responsible for Facebook’s privacy lapses, but Facebook’s board is also responsible and must prove itself equal to the task of fixing the holes properly, and holding its CEO to account. Its members would do well to read Fitzsimmons and Atkins’ excellent book.
Meantime, Facebook must shoulder part of the blame for the many rumours about it – be they accurate, misinformed, or plain false.
Below is my full response to the journalist; the published article is here.
Which risks are created for firms from employees’ personal social media accounts?
Researchconsistentlyshows the top risk of social media to companies is damage to reputation. Rank-and-file employees may be seen as the most trusted sources of information on, and credible advocates for an organisation, yet the flip side is equally true: inappropriate, offensive, unethical or defamatory behaviour by those seen as the most authentic embodiment of a company has a nasty habit of spilling into the broader public domain and bringing their employer’s name and image into disrepute.
Understandably, much of the focus concerning employee social media profiles is on internal threats. However, companies underestimate the external risks associated with these accounts, notably the increased risk of social engineering to access personal and/or company information, and greater opportunities for identity theft as a way to embarrass an individual – and perhaps their employer – in public.
Which types of posts from employees on personal social media accounts are the most damaging (political statements, unprofessional conduct, criticising the company etc.?)
The degree of damage depends on factors such as the nature of the post, the resonance of the topic, the credibility of the employee, whether the post is seen as accidental or deliberate, and the visibility and reputation of the company. It can be particularly damaging if it is seen to involve confidential or highly sensitive information, racist, sexist or discriminatory comments, the harassment or smearing of colleagues, customers or competitors, or which point to corporate hypocrisy or double standards – all of which will quickly attract negative coverage and can result in legal action, financial penalties, or lost sales.
Much hinges on the local political, social and media context. For example, political and social online activism across Asia is less widespread but certain topics are guaranteed to raise hackles and with civil society gaining ground and personal online activism on the rise, a loose statement can prove immensely damaging. And while smears are commonly regarded as below the belt in the west, in China and elsewhere there is a pervasive culture of trashing other individuals, companies and just about anything and everything else, many of which are surprisingly overt. Many die at birth, but others take on a life on a life of their own if the employee is trusted. It often also helps if the target is western.
How can firms mitigate these risks? Is employee training necessary, or does it need to go further into rules in contracts and disciplinary action?
The blurring of employees’ personal and professional lives online presents a tricky challenge for any organisation. While some companies continue to limit workplace access to social media, or to personal social media accounts during working hours, most accept that the great majority of their people have a personal presence on social media and understand it is unreasonable, and in some countries illegal, to clamp down on or to monitor personal online activities, particularly outside of working hours.
At one level, the risks of rogue social employees can be reduced by having strong values and culture, ensuring good behaviour across the corporate ecosystem, having a healthy working environment and fair compensation, and being open and honest whenever possible. Understanding that there is little to stop aggrieved employees sounding off on employer review sites such as Glassdoor, or taking to anonymous workplace communities like Blind, many companies are also strengthening employee reviews, complaint procedures, and putting in place more substantive and constructive exit interviews.
It is also essential to have strong social media governance, most obviously in the form of a corporate social media policy and a set of guidelines that spell out the expected parameters of online behaviour, highlights the link between poor personal behaviour and reputational damage on the company, and which threatens disciplinary action for breaches of policy. Many companies now refer to or embed these terms in employment, contractor and supplier contracts, and feature them in formal onboarding processes.
Of course, social media policies and guidelines must also be understood and lived, which is where training and communication come in. The challenge is often that these dry, rather formulaic policy documents have many grey areas. For example, is it appropriate for employees to talk about, let alone criticise, their employers’ activities on Facebook and, if so, when and how? Should they respond to third-party criticism of the company on their social profiles, or the open web? Are there any topics employees should expressly steer clear of, even in their personal lives? Should employees be talking up their company’s products on social media and, if so, how? In what circumstances (if any) should an employee use his employer as an online platform for his own personal activities and views? Smart organisations have training programmes that get into these awkward nooks and crannies, bring them alive, clearly spell out the dos and don’ts, and issue regular reminders.
Companies like L’Oreal have taken this educational approach a step further by hand-holding their people personally through the social media maze, showing them the merits and risks of different kinds of social media strategies, platforms and profiles, and teaching them how to segment users, limit access to their opinions and content, and keep their profiles secure. Corporate personal branding programmes not only help employees and their employers protect their reputations day-to-day, they also instil residual goodwill and help reduce the likelihood of alumni disparaging the company once they have moved on.
It would be great to know your thoughts on this necessarily messy and difficult topic. Is there anything you find particularly challenging about employees’ personal social media accounts? What are the best ways of minimising these risks?
But it is not just the big campaign groups that have benefited. Once the preserve of students, tree huggers and political dissidents, activism is now the opium of suburban housewives and white collar workers across the world. It is particularly evident in the huge popularity of online petition sites:
Change.org counts over 140 million members in 196 countries
Avaaz boasts some 43 million members in 194 countries
A UK member of parliament recently told me she receives dozens of emails every day supporting various causes from the 3 million+ members of 38 Degrees, all of which she feels compelled to respond to.
People power has never felt so real, or so daunting. And in an age in which business is increasingly expected to play the role of a concerned and actively engaged ‘citizen’, the numbers involved and the sheer unpredictability of public opinion raises real challenges and risks, as firmssupporting ostensibly mainstreamcauses have discovered.
Drawing on discussions and interviews with Greenpeace, the WWF and high profile individual activists, I argue in my book Managing Online Reputation that online activism is now mainstream, activist networks are becoming more amorphous, and campaign groups are deliberately making their lines of attack less predictable, before going on to detail three current and emerging strategies and tactics used online in the ongoing battle for public support.
With propaganda swirling online, a Change.org petition fast escalating and Greenpeace all over your Facebook page, an online activist attack can feel terrifying and remorseless. But while some activist campaigns meet or even exceed their objectives, most fail to convince the public of their merits, or simply succumb to slacktivism.
How you choose to respond requires a close understanding of your detractors’ playbook, a smart reading of the public mood, and an appreciation of your tolerance for business and reputational risk.
I had the pleasure earlier this week of talking to early-stage entrepreneurs and assorted others about the importance of building trust from the get-go.
Providing a genuinely useful and usable experience with great customer service is the starting point for many start-ups, but one that is nowadays expected as the price of admission.
Customers, the general public and others are able to act immediately on bad experiences and are increasingly intolerant of perceived poor behaviour by companies.
The travails of companies like Uber and Theranos show that having good governance, being open and transparent – including preparing properly for when things go wrong – and having strong values and a clear purpose are essential if a start-up is to build trust over the long-term.