The Edge of Risk Menu Search
Economy Cybersecurity European Union GDPR

Reputational Risk and the GDPR: What’s at Stake and How To Handle It

Vice President at Marsh Cyber Practice

This is the third piece in a week-long series exploring the implications of GDPR. You can find the previous pieces here and here.

Reputational damage will be a core consequence of any GDPR-related fine or penalty, similar to the aftermath of a privacy or cyber-related security incident. Associated financial costs may be difficult to discern immediately, because reputational damage is less a stand-alone loss and more an impetus for several potential consequences, namely lost consumers (in both the B2B and B2C contexts), stock price decline, and subsequent difficulty for innovation and growth due to higher borrowing costs.

GDPR-related reputational damage is an elusive risk because the size and scope is contingent upon many factors, such as revenue size and industry, the nature of the alleged noncompliance, the duration of the investigatory process, and timing.

Large revenue companies may face greater regulatory scrutiny and therefore have more reputational exposure based on the sheer size and scope of their data collection and processing efforts (in addition to their wider brand recognition). This is particularly likely for industries already in the EU regulatory crosshairs, such as the U.S. technology sector.

However, large companies in these higher-risk industry sectors may suffer less reputational damage because they are better prepared, and their shareholders and consumers have anticipated the likelihood of regulatory attention, while companies in lower-risk industry sectors, such as hospitality and manufacturing, may suffer more damage because the fine or penalty will be more surprising and unnerving.

GDPR-related reputational damage is an elusive risk because the size and scope is contingent upon many factors.

What’s the Violation?

The nature of the alleged violation is likely to be the biggest determinant of reputational loss. A company can be deemed to be GDPR-noncompliant based on many different considerations, some more consequential than others. For example, according to Article 83 of the EU GDPR, “General Conditions for Imposing Administrative Fines,” the GDPR will impose a maximum penalty of 2 percent of global revenue or 10 million euros (whichever is greater) for process-related compliance failures, while the more severe threshold of 4 percent of global revenue/20 million euro threshold will be met if the regulation’s core tenets are not adhered to.

As a point of comparison, a fine or penalty pertaining to a company’s failure to implement sufficient data minimization protocols will likely pale in comparison with the financial repercussions for collecting certain personal data without first obtaining opt-in consent or repeatedly refusing to comply with legitimate right to erasure requests without just cause.

How Long Will the Investigation Take?

Once an investigation is announced, depending on the nature of the allegation, there could be an immediate drop in stock price or sizeable customer loss. An investigation by an EU data protection authority also may take well over a year from start to finish, assuming that a fine or penalty is ultimately levied and the case is not otherwise settled.

This is a long enough time period that other factors, such as a poorly received earnings call or lukewarm response to a product launch, might come into play, compounding the problem and resulting in even greater damage to a company’s reputation. In these circumstances, it may be hard to gauge just how much reputational loss can be attributed to the GDPR fine or penalty versus other factors.

Timing Matters, Too

No company will want to become the trailblazer for GDPR noncompliance and receive the first sizeable fine or penalty. That said, the seventh or eighth company penalized will not necessarily suffer less reputational damage than the first few. As we have seen in the past year with respect to reputational fallout from large data breaches, a particularly large or damaging incident will still resonate irrespective of whether others have previously suffered the same fate.

So, what’s the best way to mitigate your reputational damage from such a wide confluence of factors? Consider the following:

  • Ensure that your company’s GDPR preparedness and compliance efforts are well underway with a defined implementation process, designed by internal and/or external privacy and legal counsel. This includes understanding the type of data that your company collects and processes, as well as re-evaluating the vendors that you use for data processing and gauging their level of GDPR awareness and compliance.
  • Explore transferring some of the risk through a cyber insurance policy to lessen the financial impact if you don’t have one in place already. Several large U.S. cyber insurance markets provide broad coverage for insurable GDPR fines and penalties. This coverage can potentially reduce reputational damage, because it would reimburse costs incurred for a public relations firm and other external expenses after the onset of a GDPR-related regulatory investigation. Some insurers even offer coverage for reputation-based income loss as the result of adverse publicity stemming from a privacy event, which would include alleged GDPR noncompliance.
  • Review and update your crisis management plan to get a better sense of how to optimally respond to different scenarios, including the commencement of an investigation; related litigation from consumers, vendors, or shareholders; and the ultimate imposition of a fine, penalty or related settlement agreement.

For now, there remains much uncertainty about the potential frequency and size of GDPR fines and penalties, which also includes the scope of related reputational damage. How the media, consumers, vendors, shareholders, and broader public react will largely depend on a multitude of company and incident-specific factors. Barring a flagrant or willful violation, however, the scope of reputational damage can be contained so long as the right precautions—some of which are outlined above—are implemented in connection. After all, like other organizational risks, reputational loss should be thought of as a risk to be managed, not eliminated. So long as you have this mindset and sufficient compliance measures in place for a regulation that has already changed notions and expectations around privacy as we know it, reputational damage relating to the GDPR—as with other regulatory hurdles that preceded it—can be minimized.

Jeffrey Batt

Vice President at Marsh Cyber Practice

Jeffrey Batt is a Vice President in Marsh’s Cyber Practice, where he advises clients on the scope of their cyber and privacy risk and related insurance solutions.  Prior to joining Marsh, Jeffrey was an Associate Deputy General Counsel at the U.S. Department of Defense from 2010-2016.

New thinking on corporate risk and resilience.
Please enter a valid email address.
Success! Thank you for signing up.