The concept of a “social licence to operate” has had much debate in governance circles. Less considered is whether organisations need a “digital licence to operate” and the board’s role in data governance – and how that affects corporate trust and social responsibility.
Directors could argue that a social and digital licence to operate is the same thing. As more business is conducted online, an organisation’s use of technology and data is fundamental to its social licence to operate. Those that abuse customer data soon lose community trust.
Boards, anecdotally, approach cybersecurity mostly from a risk-management and information-technology perspective. Some may not have sufficiently examined the interaction of cybersecurity with trust and corporate social responsibility in the digital economy.
“Cybersecurity is high on the risk register of large organisations,” says Edelman managing director, Francesca Boase. “However, much of that risk assessment seems to be at a commercial, operational or legal level. The challenge for boards is to go to the next level and consider how the organisation creates and sustains trust online.”
An organisation’s data ethics and ability to secure customer information is having a greater effect on trust. Two-thirds of respondents to the 2018 Edelman Trust Barometer cited protection of customer data and privacy as the top way for organisations to build trust.
“The baseline expectation of the Australian public is that companies will use their information responsibly, and keep it secure,” says Boase. “Anything less will quickly erode trust. If customers believe an organisation is not using their data appropriately, or cannot safeguard it, the brand and reputational damage can be enormous. Data security is becoming fundamental to the overall notion of trust.”
Boase’s view is timely. Technology is enabling organisations to capture vast amounts of customer data and form closer relationships. This data has been likened to a new form of “currency” in business and a source of competitive advantage in the digital economy.
Wearers of wristband fitness trackers, for example, allow organisations to track their every footstep, heartbeat and second of sleep. Smartphone users allow some organisations to track their location and recommend what they should watch, listen to, or eat.
This depth of relationship between organisations and customers, via technology and big data, is unprecedented in human history. Consumers have shown they will allow trusted organisations to be part of their life 24/7, if technology helps them.
The paradox is that as consumers allow organisations into their life more than ever in the digital economy, they have become less trusting of them. Community trust in institutions in Australia and worldwide is in decline, according to the 2018 Edelman Trust Barometer.
Trust in Australian business, government, media and non-government organisations (NGO) has fallen for two consecutive years, Edelman’s survey showed. Cumulatively, Australia’s Trust Index was just a few percentage points higher than the least-trusted country, Russia.
This global “crisis of trust” has received much attention and boards have responded with increasing focus on Environmental, Social and Governance (ESG) initiatives this decade. But little is known about how data governance feeds into ESG and community trust.
What is known is that boards worldwide are lagging on cybersecurity governance. Less than a third of respondents to the Global State of Information Security Survey 2018 said their corporate board actively participates in a review of current technology security and data-privacy risks.
Back home, the Australian Securities Exchange in April 2017 released the ASX 100 Cyber Health Check. Only a third of ASX 100 boards surveyed had defined the organisation’s risk appetite for cybersecurity and about a third assessed their cyber culture annually.
Regulators have lifted their cybersecurity expectations. The Australian Prudential Regulation Authority (APRA) draft Prudential Standard 234, released in March 2018, outlined the view that APRA-regulated entities are ultimately responsible for maintaining their information security.
And the proposed fourth edition of the ASX Corporate Governance Council’s Principles and Recommendations added commentary that board skill matrices may need to include competence in cybersecurity.
At the same time, the new Notifiable Data Breaches (NDB) scheme, which took effect in February 2018, requires organisations to alert the Australian Information Commissioner and all affected clients if a hacking of their information could result in serious harm. The new laws apply to businesses with an annual turnover of at least $3 million, not-for-profits, the health sector and Federal Government agencies.
As more data breaches are disclosed, and as regulators lift cybersecurity requirements or recommendations, boards will need to think broader about data security and trust.
Here is an edited extracted of Francesca Boase’s interview with the Governance Leadership Centre (GLC) on the interaction of trust and the digital economy.
GLC: Francesca, is there such a thing as a “digital licence to operate” for organisations?
FB: It’s an interesting way to think about it. Organisations cannot separate their digital or social licence to operate; they go hand in hand. An organisation’s mission, vision and values must be replicated in its approach to technology, data and digitisation of business. That said, organisations must consistently show they capture, use and store customer data ethically.
GLC: Why are consumers giving more of their data to organisations when trust in institutions worldwide is in decline?
FB: Innovation is an important component of organisation trust. The public wants organisations to innovate and develop products and services that make their life more enjoyable. They know that technology and big data are fundamental to that innovation.
The Edelman Trust Barometer shows that the tech sector in Australia and overseas is consistently among the world’s most trusted sectors. The public can see the benefits of technology in their daily life.
The willingness of consumers to provide data is an incredible, exciting opportunity for business and a reason why boards need to think carefully about trust in the digital economy.
GLC: What happens when trust in the digital economy is lost?
FB: One need only look at big data breaches overseas to see how quickly corporate brands, reputation and market value can be damaged.
Locally, the response to the Federal Government’s My Health Record data initiative this year shows what can happen if the public does not have sufficient trust in an institution’s capacity to secure their data.
GLC: Is the concept of trust in the digital economy getting enough board attention?
FB: I haven’t seen data on how boards are approaching this issue. My sense is that boards are still getting their head around their organisation’s cybersecurity policy, governance and reporting. They are focusing on the issue from a technology perspective and may not have considered the interaction of technology and big data with the organisation’s reputation, values, marketing and corporate social responsibility initiatives.
Boards will need to spend more time with the chief marketing officer to understand how the firm’s digital operations affect trust, brand and the customer experience.
GLC: How should boards approach this issue?
FB: The starting point is to ensure that the organisation’s values and purpose are reflected online. Directors should know the organisation adheres to the same ethics and principles when dealing with a customer online as they would when serving them instore.
“Directors should ensure the organisation has a multifaceted approach to cybersecurity. Data security is more than a technology, information security or legal issue. It is fundamental to customer goodwill, brand and reputation.”
Boards must know where the organisation draws the line with how it uses customer data and be satisfied that all staff know how they can and cannot use it.
Directors should ensure the organisation has a multifaceted approach to cybersecurity. Data security is more than a technology, information security or legal issue. It is fundamental to customer goodwill, brand and reputation.
Boards could ask management how the organisation’s brand would be affected in the event of major data breach. How would trust be affected? What is the organisation doing to build, maintain and communicate its strategy to use and store customer data? And how can trust in the digital economy be a source of competitive advantage?