According to a 2023 report by IBM, the global average cost of a data breach in 2023 was $4.45 million (USD), a 15 percent increase over 3 years, with almost 60 percent of the costs related to lost business and post-breach response efforts. For a customer, a data breach can result in a loss of their secure financial information, an exposure to their sensitive health care records and complete identity theft.
The importance for organizations to manage and protect customer data has been recognized through varying data protection and customer privacy acts worldwide e.g., the General Data Protection Regulation (GDPR) in the European Union, the Data Protection Act in the United Kingdom, and the Consumer Protection Privacy Act (CPPA) in Canada.
Considering the increasing trend of data breaches, customers are now taking further steps to protect their data. Based on a report by the International Association of Privacy Professionals (IAPP) over the 12 months from March 2022 to March 2023, “85% of consumers deleted an App, 82% opted out of sharing data, 79% avoided a particular website and 67% decided against making an online purchase due to privacy concerns.” These actions indicate a decline in customer’s trust in organizations regarding the protection of their data.
This trend presents an opportunity for organizations to take a more comprehensive approach to safeguarding customer data, by integrating this responsibility with their Corporate Social Responsibility (CSR) program. The integration should be seen as a strategic response to build trust based on the customer’s evolving view of an organization’s responsibility regarding the safeguarding of their data. Incorporating data protection into an organization’s CSR program also develops broader organizational capabilities which can strengthen its responsiveness and resilience to data breaches.
The first step to achieving this integration is to establish guiding principles for a more strategic approach to data protection:
- Transparency: Clear and timely communication is key to building trust with customers. Organizations must be upfront about data collection and use, and quickly respond to any breaches to demonstrate concern for customer privacy. (Harvard Business Review, 2015)
- Data Governance: Formalizing roles and responsibilities, appointing privacy officers, conducting audits, and adopting practices to prevent breaches are critical requirements to ensure the organization can meet its obligations for data protection.
- Cybersecurity: Cybersecurity must be treated as a ‘business-as-usual’ activity. New products and services need to consider how they reinforce existing measures or reduce cybersecurity risks. Evaluation of strategic relationships, partnerships and suppliers need to meet minimum organizational requirements for cybersecurity.
- Industry Collaboration: Data breaches are a widespread problem that can quickly escalate into a crisis, affecting multiple organizations and millions of customers. There is a mutual benefit to developing collective knowledge and industry-wide standards and best practices, which demonstrates a commitment to protecting customer information. (Wells Fargo, 2023).
- Culture of Responsibility: An organization’s responsibilities to its customers also need to be reflected in its employee behaviours. Organizations need to develop a culture of data responsibility, which involves educating employees on privacy principles, fostering a sense of accountability, and integrating data ethics into corporate training programs.
Once these principles have been established the next step is to evaluate the current level of organizational readiness with safeguarding customer data.
- Assign the responsibility for data protection to a person at the executive level with accountability for embedding the guiding principles within the organization, and the ongoing management and reporting.
- Conduct a comprehensive inventory to identify and categorize all customer data within the organization. This includes all data types, sources of data and storage locations.
- Use a trusted external provider to conduct a risk assessment to identify potential threats and vulnerabilities with the collection, use and storage of data.
- Identify all suppliers and partnerships that have access to customer data, with an understanding of the purpose of need and retention of the data.
- Measure the current level of employee awareness regarding data protection routines and cyber threats.
The protection of a customer’s data and privacy is no longer solely a legal or regulatory requirement. Customers are holding organizations to a higher standard in safeguarding their information. Customers also have the power to not do business with an organization that does not meet that standard. Establishing a philosophy of data protection is the first step in responding to this opportunity. Operationalizing the philosophy with executive accountability and integrating data protection into an organization’s CSR program is the next step.
These combined efforts signal to customers that organizations recognize the responsibility they have to protect customer information, which is necessary to maintain their trust. It also ensures transparency and a more robust level of organizational capability to address a growing concern in business. //
Nigel Taklalsingh | Contributing Writer
