Skip to main content

GDPR and CSR: good privacy is becoming good business

(Image credit: Image Credit: StartupStockPhotos / Pixabay)

A little over two years ago, the introduction of the EU General Data Protection Regulation (GDPR) led to a flurry of activity in inboxes around the world, as companies capped off months or years of preparation for it by emailing their marketing newsletter subscriber lists to ask for permission to continue contacting people. After this very public-facing effort, however, things have not been anything like as quiet as it may seem to consumers. As has been widely noted, one after effect of the GDPR (alongside similar legislation like California’s CCPA) has been a wide-scale transformation of how information is managed in the enterprise.

Under these privacy regulations, companies are finding themselves having to justify the existence of silos of consumer data which may have built up over long periods of time, like databases of customer details for different product lines and historical data on customer service activities. Now, new data lifecycle approaches to manage this information are being built, reinforcing customer privacy and giving businesses deeper insight into the data they hold. Doing so often requires big data and IT transformations, fundamentally restructuring underlying systems in ways which can be costly and challenging, from both a technological and a cultural perspective.

Generating active benefits through data privacy initiatives

Much has been written about these challenges, and how best to manage them. However, it also worth exploring how these efforts can create value for a business, even as they mitigate the risks of costly privacy issues. One prominent example of this is to take the opportunity, while the company’s IT system is being restructured, to build in revenue-generating capacity for new insights and efficiencies. A less-explored avenue is the potential for companies to associate data privacy initiatives with broader goals in corporate social responsibility (CSR).

CSR, like data privacy, is becoming increasingly central to how the modern enterprise behaves. In short, it means giving something back to the wider social fabric which supports a business’s existence. Whether opening up existing on-site medical services to the local community, working to improve access to certain careers for people from under-represented backgrounds, or taking action on global climate change, CSR seeks to simultaneously make the world a better place and burnish the company’s reputation, making it more resilient and attractive to customers and investors.

On occasion, we have seen data privacy and CSR align, not just in policy but in behavior. A good early example is the Heartland Payment System data breach in 2008: going beyond their mandatory legal requirements, the company went out of its way to make details of the attack public, helping competitors to protect themselves against similar incidents. By seeing through the potential reputational risk of this course of action to the potential upside on the other end, Heartland both generated goodwill and helped to make payments processing a safer industry. From examples like this, it might seem like an obvious matter to associate data privacy with CSR, highlighting it in public-facing CSR declarations and publicizing data privacy initiatives as part of a business’s responsibility to its community.

The disconnect between privacy and responsibility

In practice, few companies put forward an explicit link between privacy and responsibility: the main examples are niche web browsers and communications platforms which operate on privacy-first principals. This is also in spite of survey after survey telling us that consumers care deeply about the privacy of their data and will react badly to any breach or mishandling of it. Given this, we might reasonably wonder: why does this gap exist?

One reason might simply be that, as much as an average consumer might care about privacy in principle, in practice the issue is too complex and confusing to effectively act upon. Research from Malwarebytes in 2019 showed that, while 96% of people say they care about their privacy, only 53% use password managers, 47% know which permissions their applications have, and 29% reuse passwords across different websites. Perhaps most significantly, from a CSR perspective, only a third of people read end user license agreements before agreeing to them.

The difficulty of engaging directly with the various privacy policies of the wide array of businesses we interact with on a daily basis means that consumer attitudes towards how those businesses deal with privacy is less a matter of policy and more a matter of perception and reputation. When asked, consumers tend to rank banking and healthcare as relatively trustworthy sectors when it comes to privacy, even though data from European GDPR regulators suggests that their performance in this regard is generally no better or worse than other sectors. Social media, meanwhile – where we perhaps place more personal data than anywhere else – ranks low on trustworthiness. Recent news suggests that this lack of trust may be having consequences on those companies’ standings.

Looking ahead to responsible privacy initiatives

There is, then, a gap between CSR and data privacy which feels likely to close at some point in the not-too-distant future. It’s easy to see how doing so can result in benefits for enterprises, their customers, and their business partners. For enterprises, supporting marketing efforts with proactive and overt indications of how personal details are collected and applied could help to generate a CSR-halo effect of positive customer feeling. For customers, data privacy-led CSR might mean offering privacy health checks and clear guidance to make their data safer and their privacy less confusing. For B2B partners, support can be offered through a data privacy value chain with open standards and shared resources.

Ten years ago, a paper by the academic Irene Pollach explored the connection between CSR and data privacy and found that, while online privacy is in theory a CSR measure, in practice there is little role for privacy in the CSR agenda of major IT companies. One thing which has changed since then, of course, is the advent of more stringent data privacy regulation – and, more importantly, the transformative impact that that regulation has had on enterprises’ approaches to the data lifecycle. With new information management process being introduced at significant cost, companies are looking for return-on-investment. It seems likely that that return will be found in the fact that these processes are opening the door to effective CSR action on privacy. In another ten years, I think that businesses will have reached the logical conclusion that managing data safely is part and parcel of making the world a better place.

Ashley Bill, lead solution consultant, Micro Focus