Narrative. Story. Backstory. Media jargon is now part of the lexicon of public life, drawn on daily by politicians, journalists, commentators, marketers and businesspeople to set the agenda, challenge, inspire, dramatise and bring meaning.

For Boris Johnson, ‘Brexit is going to happen… and when it does, we must finally begin the positive narrative of Brexit Britain: tackling crime, investing in our health service and our schools, and fixing the housing market to help young people own their own homes.’

An American CEO and entrepreneur with an unorthodox career says she wants ‘to share with you my backstory and hope it can encourage you’.

And here’s Allianz Global Investors CEO Andreas Utermann looking to persuade asset managers of the merits of active investing by changing its fee model:

Allianz CEO changes active investor narrative

As communicators working in a fast-paced visual age in which facts and rumour and misinformation constantly compete for attention and viewpoints chop and change at a moment’s notice, it makes much sense to think like journalists, producers and storytellers.

The customer is not a moron media-junky

Talk of stories, backstories, narratives and episodes may sound impressive and make sense to our clients and ecosystem partners and media targets. Yet is this how our wives and children and friends and next-door neighbours think?

Do they, like Boris Johnson (who must compete with multiple other narratives and has his own rather complex backstory to contend with), reckon the positive story of Brexit Britain can only start if and when the UK leaves the EU?

Or do they think the facts speak for themselves, from whichever side of the political spectrum they hail?

We are in danger of assuming the man on the street understands and relates to such language. We also risk sounding pretentious, confusing, and disingenuous.

Focus on the facts not the packaging

As communicators we are, or should be, in the business of honesty and clarity, of rigorously examining the underlying issue rather than revelling in its packaging, of reducing the gap between rhetoric and reality.

This means sticking to the facts, avoiding jargon and doublespeak, and using words and phrases everyone understands. And it means persuading our clients to do the same – especially in a consumer or general public context.

‘Active managers add long-term value cost-efficiently. Our new fees reinforce this.’ Allianz could have said.

Which would have been clearer.

Our American CEO might simply have said she would like ‘to share with you my backstory unusual career path and hope it can encourage you’.

Which might have resulted in a few more clicks or likes.

Boris could have stated: Brexit is going to happen… and when it does, we can must finally begin the positive narrative of Brexit Britain start building a new and better Britain.’

More people might then believe him.

Egypt Air Public Relations

It sounds good in principle. A sign in Cairo airport directs passengers to Egypt Air Public Relations. In practice, the desk turns out to be manned by a customer service team. 

The team is friendly, polite and helpful – a credit to the airline. It constitutes good public relations, even if it is not PR as we think of it today.

It begs two questions: What is Public Relations? And is the term fit for purpose?

From publicity to connecting dots

Clearly, PR has moved on since its early days of B.T. Barnum’s publicity stunts. Today’s digitised and accountable landscape means PR is about listening, understanding, outreach, engagement, measurement and evaluation.

It is about advising leadership as well as manning the product and reputational coalface. It is about cooperation and collaboration, joined-up thinking and connecting dots.

Yet the PR industry continues to suffer from a poor name and image. It is seen to lack real bite and C-suite credibility and is tarnished by its association – merited or otherwise – with ‘spin’ and smears.

My own background could be said to be in PR yet, as an observant reviewer points out, I do not use the term Public Relations in my book Managing Online Reputation.

He is correct: I deliberately avoid it, and use the word Communications instead.

Why?

Most importantly, I want to reflect the fact that ‘PR’ people don’t just puff products and salvage broken reputations but provide internal communications, leadership communications, stakeholder communications, corporate communications, corporate marketing, influencer communications, digital and social media communications, and a host of other forms of communications.

I also aim to persuade my readers that the principles and practices of online reputation management – a notoriously shady ‘industry’ – must be approached strategically, appropriately and ethically to be effective.

This, I figure, would be more likely achieved by viewing online reputation through a Communications rather than a PR or digital marketing prism.

Opportunity to own the communications high ground

I am not alone. Most organisations have renamed their Public Relations units as Corporate Communications or simply Communications teams. PR agencies and industry associations such as the PRCA (formerly the Public Relations Consultants Association and now the Public Relations and Communications Association) have followed suit in whole or in part.

Yet the term Public Relations stubbornly persists – in the industry, in business, in the media, and amongst the general public.

With competition hotting up as marketing agencies, management consultants and others encroach on PR industry turf, there are compelling reasons to drop the term Public Relations entirely and replace it with Communications or variants thereof.

Such a move would be brave.

The earned media dimension of PR may lose its pointed edge. And the term ‘communications’ is open-ended, meaning many things to many people.

It would also require real ambition.

Ad agencies have been busy repositioning themselves as marketing agencies in order to reflect their broader capabilities, and to give themselves the flexibility to move into new areas.

This leaves space for the PR industry to occupy the Communications high ground and everything it entails.

A window now exists for PR to own the term Communications, and to rename itself in its own new image.

It should move fast, and aggressively.

Bob Elphick, former Reuters and BBC foreign correspondent, my initial boss at the European Commission and first professional mentor, liked to say the Commission had ‘broad shoulders’.

By this he meant that it could – indeed was in the regular business of – taking the blame for others’ deeds and misdeeds.

By the end of my time there, much of my job was spent attempting to kick into touch scare stories of Brussels needlessly meddling in UK matters.

Rumours abounded of the EC (now EU) banning bendy bananas and curvy cucumbers, or outlawing cheddar cheese and forcing donkeys on beaches to wear nappies.

The problem: few were true.

The Economist - Euromyth lies, damned lies and directives

Yet euromyths have persisted to this day, largely unchallenged, and have had a significant impact on public opinion in the UK.

Why have these scare stories been allowed to circulate so freely?

Here’s my take in the EUobserver, based on my time as an EU official much of whose time was spent fact-checking and rebutting tall stories in the UK media.

It is a cautionary tale for all organisations, especially supra-, national- and international ones.

Complex, technical and emotive, data breaches are tough communications and reputational challenges at the best of times.

The EU’s GDPR ups the ante. Not only does it raise the prospect of bigger fines but it increases the likelihood of greater legal liability and reputational damage.

Widely regarded as the gold standard for data privacy across the world, GDPR is being adopted by many countries and regions, including the Asia-Pacific Economic Cooperation.

What does the GDPR mean for business leaders, communicators, risk managers, lawyers and others preparing for tougher data privacy laws across Asia and responding to data breaches in the EU?

Here are some important principles to bear in mind:

Take swift, decisive action to address the problem 

Companies have no option other than to move fast under GDPR. There are only 72 hours to establish what has happened, assess the likely damage, notify the regulator(s) and communicate with those impacted can seem like precious little time, especially when the facts remain unclear.

Notification and communication can appear especially daunting when the hole remains open and the facts are unclear. Yet, the quicker a company moves to fix the hole and the more decisively it does it, the more likely it will be able to limit the actual and potential damage and rebuild confidence.

Err on the side of caution, but do not panic

It is easy to feel like you are being press-ganged into publicly disclosing a data breach. In fact, not all breaches need to be reported to the regulator, and some don’t need to be reported within 72 hours.

Some breaches do not pose a high risk to those impacted, while others may be considered temporary. In some cases, the data involved is unintelligible and/or already in the public domain, in others, the effort involved in notifying the regulator may be considered disproportionate to the actual or likely damage.

In such instances, a company may choose to inform the customer of an incident without notifying the regulator or making a public statement—provided it is confident it is on a safe footing legally.

However, generally, it is best to err on the side of caution and report a breach to the regulator. If one is unclear, information regulators will generally advise whether it needs to be reported. They may also provide guidance on whether it should be communicated with those impacted.

That said, there may be some instances in which you feel it is more important to communicate immediately with those impacted, before notifying the regulator. For example, where the data involved is extremely sensitive, or where a supplier processing data for a business customer is breached.

There are also good reasons to be wary of going straight to the data subject. Customer and stakeholder expectations vary widely on data privacy and, in the wake of an incident, their behaviours can conflict. And news of a breach typically becomes public as soon as it has been communicated with those impacted.

Whichever route you choose, it is usually best to err on the side of caution. There’s no need to panic.

Be open and honest

The GDPR and emerging data privacy policy frameworks are fundamentally about transparency and trust, with organisations expected to be open and honest about data privacy in general and data breaches specifically.

EU information regulators have said they will take seriously anything that puts these twin principles into jeopardy and that they are willing to expand investigations beyond assessing IT/cybersecurity governance and controls to testing compliance in areas like technical competence and education and training.

The same goes for customers in Asia, who increasingly expect organisations to be honest about their shortcomings and to move quickly when something goes wrong.

Consider carefully how those impacted might be affected

Understandably, company leaders and executives fret primarily about the sensitivity and volume of data involved in a breach and what it means for the well-being of their employer. But it is just as important to pay close attention to those impacted and to the context in which the incident has occurred.

In August 2018, British Airways suffered a major breach involving the personal and financial details of over 500,000 customers. Despite no evidence of fraudulent financial activity at the time, British Airways quickly appreciated that the potential for lasting reputational damage was significant, given the large number of payment card and CVV numbers involved.

British Airways CEO Alex Cruz apologises to customers for the airline’s data breach

Hence the airline’s decision when it acknowledged the breach to offer compensation to customers for any financial hardship suffered—a promise that may result in significant payouts and higher insurance premiums going forward. The decision almost certainly also took into account the overwhelmingly negative reaction to the airline’s 2017 IT systems outage.

Consider carefully the needs and expectations of those impacted, the degree of external and internal scrutiny the incident attracts, your firm’s historic reputation, perceived culpability and other factors when you respond to a breach. nsider carefully the needs and expectations of those impacted, the degree of external (and internal) scrutiny the incident attracts, your firm’s historic reputation, perceived culpability and other factors when you respond to a breach.

Don’t walk away

From a communications perspective, it is tempting to treat a breach as a one-off negative event to be resolved with a little timely public grovelling.

This is a mistake.

Nowadays, people take naturally to social media to vent their experiences and concerns, which can easily spiral into secondary news stories. Leaks are common, and breaches easily bleed into other business issues, thereby aggravating the situation and elongating the news cycle.

Worse, GDPR means regulatory investigations, fines and litigation are more likely, resulting in additional negative publicity. In the process, you may also come under greater pressure to publish internal and expert investigative reports.

It is important to understand that a breach is often just the start of the reputational battle, and that you must stay – and be seen to stay – the distance in all facets of your response if you are to have any real chance of success. 

Align your response

The messiness and complexity of data breaches and the need for different business units to be involved in the response can result in sloppy, inadequate, or inconsistent communications.

Given the expanded legal obligations under GDPR, the likelihood of the emergence of equivalent regimes across Asia and heightened public awareness of data privacy rights, it is particularly important that companies’ legal and communications responses are properly aligned.

Legal and communications teams can sometimes be at loggerheads, so this is not necessarily as straightforward as it sounds. It need not be difficult. Unlike in a court of law, in the court of public opinion, a business is presumed guilty until it proves its innocence.

This doesn’t just mean one should be as open and honest as possible and that one’s rhetoric always meets reality. It means that a company must look at the wider picture, avoid inappropriate legal threats, actions, and lawyerly sounding statements, and apologize sincerely when it is at fault.

By following these principles, you will be less likely to botch your business and communications response to a data privacy incident.

More important, you will be in a much better position you to persuade your customers and others that you are acting in their best interests.

This article was first published on BRINK Asia

© Charlie Pownall/CPC & Associates 2012-2019 | Terms | Privacy policy

Since the start of the year a rumour has been swirling that Facebook has been using a then-and-now facial recognition photo-sharing challenge to collect data about users and improve its AI algorithms. The social network denies it started or is involved with the challenge. 

That people suspect Facebook of being involved, and that the rumour went viral, is indicative of the suspicion with which the company is held since its flaccid approach to privacy became widespread public knowledge.

Multiple data privacy violations

These suspicions are not new. There was the row over Facebook’s Beacon user-tracking service in 2007, concerns about facial recognition, a bungled psychological experiment into the moods of its users, and run-ins with the US FTU, ACLU and privacy commissioners in multiple jursidictions over many years.

According to Google, there has been considerable public interest in privacy (mostly as a proxy for internet and/or data privacy) for many years.

Google: Data Privacy News Trends


Facebook had plenty of time to tackle the problem and prepare a meaningful response. The Guardian’s initial story in December 2015 about the covert harvesting of user data by Cambridge Analytica did not ignite until whistle-blower Christopher Wylie lifted the lid on Cambridge Analytica twenty-six months later.

Yet they did little to address the core of the privacy issue, Mark Zuckerberg disappeared as soon as the story ran, and Facebook’s value dropped USD 119 billion in a single day. Zuckerberg hardly helped matters by refusing to appear before the UK DCMS Enquiry into Disinformation and ‘Fake News’.

How did Facebook fail to anticipate a major privacy crisis when the writing had been on the wall for so long? Were its leaders truly ignorant and out of touch, or simply failed to act substantively on the many warning signs? Why did they behave the way they did? Was Facebook’s experience isolated, or consistent with other reputational meltdowns? 

Reputation risk management

These are the kinds of questions posed by lawyer Anthony Fitzsimmons and insurance expert Derek Atkins in their book Rethinking Reputational Risk, in which they get to practical grips with the notoriously knotty, slippery topic of reputation risk management.

Rethinking Reputational Risk

Drawing on analysis of recent high profile crises such as BP’s Deepwater Horizon spill, Barclays’ LIBOR rigging, Tesco’s false accounting, and the VW diesel emissions scandal, the authors argue that the problem lies in the complexity of many modern businesses, the emergence of multiple online ‘unseen systems’, fast-changing stakeholder behaviours, inadequate listening, issues management and crisis preparedness, and an unwillingness to get to the root problem of problems and failures, chiefly due to over-confidence, complacency and hubris.

All this sounds familiar. But the book comes into its own when it addresses the failure of ‘classical’ risk management and the three/four line of defence model, which is regarded as overly rigid and ill-suited to handling the many and varied behavioural risks, from weak culture and values and inappropriate incentive schemes, to the blurring of personal and professional lives and the character and personality traits of senior leaders.

The authors rightly argue that reputation risk is first and foremost a leadership responsibility, and too often it is at Board level that things fall down. Board failures were involved in 50% of the 42 crises studied.

Why?

Because Boards are essentially self-selecting, and overly reliant on people with financial and operational experience, as opposed to the forensic, analytical, behavioural and digital skills that are required in today’s globalised, networked and inherently volatile economies. There is much in this.

Since concerns about Facebook’s approach to privacy first started emerging several years before its murky dealings with Cambridge Analytica came to light, Mark Zuckerberg and Sheryl Sandberg have admitted that they should have taken user privacy far more seriously.

The important question on why they didn’t heed the warning signals earlier appears to have a single plausible answer: user privacy was regarded as a price worth paying for growth, and they would make the most of it while the sun shone and regulators, politicians, customers and the general public had more important fish to fry.

Mark Zuckerberg may insist he is personally responsible for Facebook’s privacy lapses, but Facebook’s board is also responsible and must prove itself equal to the task of fixing the holes properly, and holding its CEO to account. Its members would do well to read Fitzsimmons and Atkins’ excellent book.

Meantime, Facebook must shoulder part of the blame for the many rumours about it – be they accurate, misinformed, or plain false.


%d bloggers like this: