Economists and business leaders have famously called data the oil of the 21st century, the world’s most valuable resource. It is true. Alphabet and Amazon have superseded Exxon and PetroChina atop the list of the world’s most valuable companies. C-suites everywhere are urged to make better and smarter use of their data. And fast!
But recovering and refining oil comes with the sort of risks — from the physical to the political — that are not for the faint of heart. Gathering, storing, and using data is similarly risky business. Hackers steal it, clients misuse it, and consumers are left feeling out of control or even betrayed.
Politicians and regulators in the European Union (EU) and, increasingly, in the United States have taken notice. In May, the EU set in motion the world’s most stringent and far-reaching data privacy regulations with the General Data Protection Regulation (GDPR), regulations that companies are also applying to operations outside of the EU. The U.S. government has been slower to act, but California — often a first-mover in U.S. regulation — adopted similar legislation in late June.
Regulators in the EU and the United States can now severely punish companies that do not rigorously meet the new laws’ data handling requirements. An aggressive and growing class of journalists, legislators, and NGO watchdogs is digging carefully to identify and call out companies they believe are not living up to the new laws’ standards.
Investors, too, are coming to understand that the new rules will drive transformation of current business models. Facebook shed $120 billion in market capitalization on July 26, in part because of concern that the new privacy rules will slow growth in users and revenue. Facebook also faces higher costs as it struggles with challenges ranging from Russian hacking of U.S. elections to WhatsApp-fueled mob killings in India.
As communicators in Europe and the United States, we have watched and worked with data-centered companies in various stages of risk preparedness. We have learned the hard way that smart, proactive risk management is essential to the reputational health of any firm that touches data. Neglect it, and watch trust for a firm’s brand, and even its social license to operate, evaporate.
For the unprepared, data is not a new resource. It is the poison in the chalice.
Data-centered companies must build management of this risk into the core of their business, developing themselves into risk-management platforms just as oil companies did in the 20th century. That transition should start from three essential principles.
1. Elevate data privacy and security to a business-wide priority, a brand promise that every employee is obligated to keep. Data risk can no longer rest solely in the hands of the Chief Technology Officer or the Chief Information Security Officer.
2. Communicate your firm’s data security and privacy policies and practices in clear, plain language — to your customers, employees and business partners. They need to understand you are engaging with them on a matter important both to you and to them, not simply checking a legal box. Consider building relationships with select journalists and other watchdogs who cover the security/privacy beat. Time spent on that now will pay dividends later.
3. Ensure full compliance with the letter and the spirit of data privacy and security laws and regulations in every jurisdiction in which you operate. If your industry has established unique practices and standards, embrace them. Routinely audit internal implementation of your data practices. You don’t want to learn about shortcomings from an investigative journalist on a deadline.
One final likeness between oil and data: A data crisis will come in the middle of the night when you least expect it. A company’s executive team will have to react at speed — a recipe for disaster for the poorly prepared. Run your team through detailed scenario planning in advance, clearly define executive roles and responsibilities, and assemble a well-designed crisis playbook.
Most consumers, particularly in the United States, are not yet remotely aware of how large organizations are using data about them. Their concern and anger will only grow if they realize their data is not being managed with greatest care. The Facebook-Cambridge Analytica scandal is just the beginning.
Handle it correctly and — like oil — data can fuel your business. Be prepared, and make the best use of the 21st century’s most valuable resource.
Michael Law is the President of IBEX Partners, a Washington, D.C.-based public affairs and strategic communications firm, and former U.S. CEO of Burson-Marsteller.
Jeremy Galbraith is Managing Partner of BOLDT, a Brussels-based business strategy and communications consultancy. Jeremy is the former EMEA CEO of Burson-Marsteller.