Digital Ethics — renewing the CIO CMO bond

Collaboration between the CIO and CMO is needed to make data ethics part of your corporate culture and a positive brand value for your organization.

This post was written by Bill Mew and Philippe Borremans and republished with permission.

Ever since the advent of CRM, and the subsequent evolution of the data-driven enterprise, there has needed to be a close working relationship between the CIO and CMO. Exploiting data insights to maximize your understanding of customers’ attitudes and behavior has required the two functions to be in lockstep.

There is, however, a new reason why the two functions need to be closely aligned. While organizations have been focused on digital transformation, for some this has been at the cost of digital ethics. In the post-Cambridge Analytica digital age, for brands to be trusted by consumers, they need to make digital ethics, data privacy and security a priority.

In the past, most consumers simply trusted that technology would work and that companies would use their data responsibly. A series of high profile incidents have shaken this trust and it is going to take years to recover from this and to rebuild the level of trust.

It is the first time ever, that a single issue has been both the top brand risk and also the top potential brand attribute. With data security and privacy now the top risk for your brand, and digital ethics and trust now your brand’s top potential attribute, marketing and IT need to be working together to make digital ethics a priority.

[Digital Ethics and Data Privacy was the subject of the #IDGTechTalk on Thursday 8th November 2018, moderated by Bill Mew]

For software and technology companies, the link between data privacy and corporate responsibility is relatively straightforward. For the very first time, industry analyst firm Gartner has named digital ethics and privacy as one of the top 10 strategic technology trends for 2019. The Gartner report says that “any discussion on privacy must be grounded in the broader topic of digital ethics and the trust of your customers, constituents, and employees. While privacy and security are foundational components in building trust, trust is actually more than just these components. Trust is the acceptance of the truth of a statement without evidence or investigation. Ultimately an organization’s position on privacy must be driven by its broader position on ethics and trust. Shifting from privacy to ethics moves the conversation beyond, ‘are we compliant’ toward ‘are we doing the right thing’”.

Even in non-tech industries, however, privacy has become a major issue. 80% of UK consumers surveyed by Fleishman-Hillard Fishburn have stopped using the products and services of a company because the company’s response to an issue does not support their personal views.

The research report from Fleishman-Hillard Fishburn entitled ‘The Dying Days of Spin’ looked at the issues that were most important to consumers across all industries and sectors (not just tech). Many of the issues that it found to be of greatest concern, such as healthcare and education, were ones that consumers expected the government to act on. Interestingly, though, the main issues that consumers expected companies to act on are now security and privacy, surpassing things like diversity and sustainability that had previously topped this list.

In addition, a recent Harris Poll, conducted in partnership with Finn Partners, revealed that data privacy is now the number one issue that Americans (65%) believe companies should be addressing, followed by access to healthcare (61%), supporting veterans (59%), education (56%) and job creation (56%).

Digital ethics now needs to be a core value for businesses — and if they are to be authentic then it has to become part of their culture. Issues like data privacy and security should not be seen simply in terms of compliance — where all too often organizations simply adopt a tick box attitude. Nor should they be seen as solely the remit of the IT department — when all parts of the business use data and the reputation of the whole organization is at stake if things go wrong, digital ethics needs to be taken seriously right across the business.

And an ethical approach should not be seen as an overhead or cost but as a means of ensuring better alignment with your customers’ values, as well as a potential source of competitive advantage over less ethical rivals. The UK Department for Media, Culture, and Sport has updated the Data Ethics Framework aimed at public sector saying, “Ethics and innovation are not mutually exclusive. Thinking carefully about how we use our data can help us be better at innovating when we use it.”

A new data regulation, GDPR, now applies that affects any organization handling the personal data of EU citizens no matter where the company is located, meaning that even US companies which process the personal data of individuals residing in the EU have to comply. The regulation mandates prompt disclosure of any data breaches, meaning that if or when things go wrong, there can be no covering it up.

Whether or not they choose to take a stand on data privacy, all organizations face the risk of encountering a data breach at some point. Their priority needs to be the introduction of a culture that takes the issue seriously and thereby minimizes the risk of any breach.

The potential damage is massive:

  • The cost of resolving an issue: The WannaCry attack back in 2017 is estimated to have cost the UK’s NHS £92m. The figure includes £19m of lost output (based on 1 percent of NHS care being disrupted) and an eye-watering estimate of £73m of IT cost in the immediate aftermath to actually fix everything.
  • The significant fines under GDPR: Facebook was recently fined £500,000 by the UK DPA, the Information Commissioners Office, for the Cambridge Analytica scandal, but that was under the old regulatory regime. Under GDPR the fines could reach as much as €20 million, or 4% of annual global turnover — whichever is higher.
  • The threat of being unable to process data: Possibly more significant, however, than the fines is the ability of DPAs to suspend an organization’s permission to process customer data, an action that would bring your operations to a complete standstill.
  • The reputational damage: Finally there is the potential reputational damage of any incident. Given that your brand is often your most valuable asset, this could eclipse all the other costs combined. Facebook suffered the largest single one-day loss of share capital in history ($119 billion) when its shares dropped 20% after one recent disclosure.

The 2018 Global RepTrak® report from the Reputation Institute clearly demonstrated that different areas of a company’s corporate reputation can be impacted during and after a data privacy or security-related crisis. Not only will the perception of governance and leadership suffer, but also universal stakeholder support and brand loyalty among the general public could be put at risk. This kind of support correlates with the purchase consideration of stakeholders and could have a severely negative impact on the bottom line.

In many organizations the CIO delegates responsibility for data privacy to the CISO (Chief Information Security Officer) and the CMO delegates responsibility for crisis management to the PRO (Public Relations Officer). However, this is organized, though, a level of collaboration will be required to step up to the current challenges. Guidance given in a new white paper ‘Brands, Trust and Digital Ethics’ suggests approaching this in two ways:

  • Proactive: the CISO and PRO need to collaborate to make digital ethics a core brand value and if necessary to implement change programmes to ensure that it becomes part of the corporate culture (beyond just the IT department).
  • Reassure your customers that you take their privacy seriously.
  • Establish data ethics as a brand attribute.
  • Ensure authenticity by making it part of your corporate culture.
  • Gain a competitive advantage over less ethical rivals.
  • Reactive: the CISO and PRO also need to collaborate to incorporate data privacy and security risk into their crisis communications planning.
  • Ensure that processes are ready to respond quickly to address problems.
  • Be ready to reassure customers that you are taking the right action.
  • Use pre-established influencer relationships to counter hysteria or misinformation.
  • Plan ahead to be able to protect your brand and customer relationships.
  • Demonstrating best practice can help minimize regulatory sanctions or fines.

If you think GDPR was a “nightmare”, just wait till when hackers strike. And it is probably more a question of “when” and not “if”.

Organizations that have a culture that takes digital ethics seriously, will behave in ways that will minimize the risk of incidents and will act in ways that help build stakeholders’ trust. Those that don’t take digital ethics as seriously will not only be at higher risk of impact but will struggle to establish such trust.

Being more in tune with digital ethics and having plans and processes in place will also help organizations respond more effectively when an incident does occur. Firms not only need processes in place to ensure that they are ready to respond quickly to address problems but also to fulfill their regulatory obligations by promptly disclosing any breach to the regulator as well as any impacted customers. They also need to have pre-established influencer relationships that they can leverage to counter any hysteria or misinformation which might arise that could interfere with their business or impact their brand.

Making data ethics a key corporate value can have a significant potential upside while implementing data privacy policies and updating crisis management plans to address data breach scenarios will minimize any downside. At the very least, engaging with influencers early can help you be better prepared to respond to calamities, while taking their advice or using them to independently assess or benchmark your data privacy policies and crisis management plans can be used to demonstrate best practice in these areas, which in turn can mitigate potential fines or legal exposure in the event of a calamity.

Your customers want you to take a stand on data security and privacy — seeing it as more important than either your diversity or sustainability efforts. If you want to be in tune with your customers, you need to be taking action on digital ethics and doing so NOW. If you wait until after an incident, it will be too late.