The New Business of Trust

The New Business of Trust

Data-breach prevention and protection, not just crisis response 

Rowan Philp


A corporate golden rule of “Do unto others as you would have others do unto you” has added two crucial words from customers to 21st-century businesses: 

“or else.” 

The new imperative is to treat the data of others the way you’d like to be treated, or face regulatory penalties, client defections or marketplace shaming. One estimate says that half of US companies hold information about European residents and will be required to comply with the European Union’s General Data Protection Regulation (GDPR), set for May 25, 2018. 

related: data breaches take various forms

These companies are vulnerable to the GDPR’s huge potential fines if they fail to make data storage fully secure and compliant and the use of personal data transparent to consumers. Legal and business experts are bracing for the first case that tests enforcement. 

Perhaps an even better reason to overhaul data privacy is a competitive benefit of retaining customer trust, along with operational improvements that come from data-security transformation.

Proactive executives are combining technology, ethics and transparency to gain a market edge, says Lisa Loftis, a data governance expert for SAS Software. Lead users aren’t waiting for regulations to set their future course; they’re seeking an edge now.

“If we look at where businesses are falling down in terms of their thought process, 75% of affected US businesses and 61% of UK businesses don’t think GDPR is going to affect them,” she says. “But GDPR will have significant impacts, felt well beyond companies that fall directly under its jurisdiction. Every company that does business with either end consumers or B2B needs to be thinking seriously about data governance. As consumers start to see what noncompliance looks like, we believe they will start expecting all companies they do business with to comply, regardless of whether they are legally obligated to do so.”

Culture is lagging behind technology in ethics and corporate transparency, so the closest standard to date is what could be called the “Golden Data Rule”: companies treating personal data as if it were their own.

Angry end-user customers are cancelling accounts or boycotting businesses in viral social media campaigns that escalate quickly over complaints. Companies are selecting partners based on security, responsiveness and compliance performance. Even use of technology is fair game, for example, as activists are calling on Samsung, Nintendo, Apple and other device makers to offer solutions to the claimed addictive nature of gaming and digital devices. 

Ethical practices are hard to buy from an IT vendor, so many companies turn instead to systems and software that claim to police compliance requirements or digital behaviors. 

Data governance starts with communication, Loftis says, and a consistent culture that values information and secures it as much as possible from theft or abuse. Securing IT equipment and files is just the engineering of process.

Yet only a quarter of affected US businesses even know that they need to respond, and fewer companies overall have strategies in place to get their data in order. Fines or penalties are not the primary worry for executives. Rather, they worry most about the brand damage of “being the first to be called out,” according to Anne Buff, manager for advisory business solutions at SAS.


Securing data files, servers and access is the physical system—the bank vaults and access controls of the digital age. Security is the “what,” but governance is the “how.” The corporate commitment has to be ongoing, consistent and part of the culture, says Amy Worley, global chief privacy and records officer for Merz Pharma GmbH & Co. KGaA, a multibillion-dollar business spanning 28 countries. 

Worley was an asset protection litigator and corporate privacy advisor in private practice before joining Merz in 2016. In today’s environment, having policies isn’t enough, she says. Companies need to demonstrate a commitment to compliance through education, awareness and, if necessary, disciplinary consequences for employees who fail to follow policies.

“The privacy bar in the US is not used to this type of omnibus approach to privacy,” Worley says. “There can sometimes be too much of a focus on regulation avoidance and not enough on how to operationalize requirements in a way that does not impede the business. In fact, done right, a good privacy policy adds real business value.”

related: inside southwest’s digital upgrade

The field of US data governance began to create industry standards from legal cases in the mid-1990s, adding legal precedent to state-level laws that created dozens of inconsistent standards.

“I would not want to be a newly appointed privacy officer in a company right now if I did not have a background in privacy law. In the GDPR world, privacy is not something you should dabble in, especially in a multinational business,” Worley says. Her extensive experience in records management and corporate privacy law gives her a better understanding of why it matters to clients and to the core business.

“You miss tremendous opportunities for business efficiencies if you don’t know where all your data is and how it’s shared,” she says. “Some businesses may find they get accidentally better at managing their data assets while consciously trying to comply with GDPR.”

Merz is a specialty healthcare company that focuses on aesthetic medicine and neuroscience. The more than 100-year-old, family-owned company is approaching global privacy compliance as an opportunity to collaborate across all 28 countries and better understand its corporate data holistically.

Loftis says the broader business stakes are illustrated by the national Customer Care Measurement & Consulting (CCMC) “Customer Rage” survey, which showed “an alarming rate of negative emotions associated with the customer service provided by American companies.” It found that 91% of customers experienced frustration with customer service in 2017, and 64% were “angry” as a result of negative service interactions.

The current level of dissatisfaction could eclipse the penalties under GDPR, which could reach as much as 6% of global corporate revenue. GDPR’s timing has added a sense of urgency because specific requirements include:

  • The right of individual consumers to rapidly access their personal data from any company

  • A method to learn to know how a consumer’s data is being used and to object to certain uses

  • A process to request correction or even deletion of data with proof of action

Businesses will need to demonstrate that their storage of personal data for EU residents is secure, that they have appropriate governance and controls in place and that they use the data only in a permitted way; and to show a rapid, appropriate response to demands for deletion and to security breaches.


A December 2017 PwC DigitalPulse report says that declining consumer trust in companies is being driven partially by concerns over the storage and use of personal data, with only 15% of consumers believing that their data is used for their benefit, and 85% unprepared to deal with brands if they are worried about their data practices.

For SAS, which has customers in 148 countries using its customer intelligence and analytics solutions, the company culture has multiple views and a guiding principle: Data is an ingredient. It can be used with permission to deliver benefits only through trust and use cases that a company’s clients agree are ethical.

Buff says the challenge of matching ethical behavior to shifting values and expectations has to occur before compliance with new regulations, so that companies don’t find themselves constantly seeking legal loopholes or making excuses.

“The reality is that business values are completely different from human, consumer values,” Buff says. “When it comes to data use, businesses are looking for greater intelligence about our business, our products, our consumers and ultimately our delivered value. When it comes to sharing and distributing data, we’re looking at establishing partnerships or driving new revenue models. But when we look at it from a consumer perspective—that’s not what they care about. They are interested in transparency and trust and security. Sure, they want value as well, but from a totally different perspective.”

Rowan Philp reports on global business from Boston. He was chief international correspondent for South Africa’s largest newspaper, The Sunday Times, and has held fellowship programs at the Washington Post and MIT/Knight Science Journalism program.

The reality is that business values are completely different than human, consumer values.
The New Company Town 

The New Company Town 

Data Breaches Take Various Forms

Data Breaches Take Various Forms