The management of information in the Enterprise is transforming. Today, companies have many disparate siloed stockpiles of data which need to justify their existence. Data Privacy legislation is driving companies to create data-lifecycles, which, in-turn, is forcing costly Big Data and IT transformations. Many articles exist around these challenges. What is not talked or written about is how Corporate Social Responsibility (CSR) and Data Privacy could be part of this mix and could make money for the company.

What is CSR and why use it?

In summary, CSR is the company giving something back to society, driven by a common set of morals and principles. An example of CSR could be a company extending its factory medical facilities, for free, to the local community. CSR action affects people; data privacy affects people; combined, there should be a competitive advantage: a unique selling point. A great example exists following the Heartland Payment System data breach in 2008. Here, going way beyond their mandatory legal requirements, the company went public about the attack to help the wider business community, and even their competitors, protect themselves.

Other niche companies exist off the back of data privacy aligned to supporting the community. For example, Internet Browsers with very strong privacy settings or apps with strong communication encryption. These niche companies are not directly supporting CSR but they would argue that they support the wider community, aligned with a common set of morals and principles. Outside of that there is precious little to find. This is a surprise because CSR and Data Privacy could be so much more. But why is it not?

Data privacy is not a success

The reasons are simple: data privacy is not a success. It might be a hot topic, but it is not yet a success. Company privacy statements on websites are aimed at protecting the company and not the customer. For example, in 2004 Facebook gained in popularity because of its data privacy credentials, with a privacy statement fitting on a single page – today it is significantly longer. Apple’s approach to Data Privacy is a ‘full disclosure’ approach; again, it is long and difficult to find key information, such as the number of times Apple has provided personal data to Governments for national security reasons.

Do you even care?

Survey after survey implies that Customers care about data privacy, but their behaviour implies otherwise. The subject is simply too complex. We expect institutions to do the best for us, or at least perceive that they do. Banks and healthcare are considered the most trustful. However, data from the European GDPR regulator suggests they are no better or worse than other sectors. It is all about perception. Near the bottom of the trustworthiness charts is social media: the place we readily put our most precious personal data. In addition, strong brands benefit from a CSR-halo effect. Here, they are perceived as significantly more trustworthy than most, even if their practices are questionable. Naturally, these big brands have little motivation to alter this positive perception and they are the ones who we would expect to lead the change in this area. We only care when the situation affects us explicitly such as, if a hostile party knew something about us to steal our money.  More broadly however, customers do not grasp that there is a lot more than your money which is vulnerable. 

Back to the future

At the turn of the decade, research showed that CSR and data privacy were not connected. Today, apart from niche players, data privacy is a hot topic, but it remains unconnected with CSR. CSR can be directed to support the firm, the Customer, and the Business partners. For the firm, CSR can support marketing with proactive and overt indications of how our personal details were harvested.  For the customer, CSR could be used to provide overt guidance and leadership in data privacy with automated health-checks and wizards to make things less confusing. Finally, Business-to-Business can be supported in a data privacy value chain, with open standards and shared resources. These actions in-effect are overt and proactive, not covert and obfuscated as they are today.

With society behaving as if data privacy is not important, no formal gradings or certifications from GDPR regulators and the CSR-halo, very little will be happening any time soon. But it is coming. Over the next 10 years this position will change, because the reality is that data privacy is driving new information management processes which come at a cost and we are looking for ROI. CSR is one way to recoup that investment. It is the logical conclusion and, in these post GDPR years, the future.