The Hong Kong Government has just taken a major step in ensuring that companies do more to protect all data under their control. Hong Kong’s proposed new data privacy laws could instruct companies to notify the government of a data breach within five days or face the prospect of a HK$178 million fine (US$22.9 million), or 4% of global turnover. If passed, this would bring Hong Kong more in line with European GDPR requirements.
Edelman has been measuring stakeholder trust linked to issues such as privacy for many years via its Trust Barometer, which has shown the importance people place on the protection of their personal data. This week’s Risk Barometer Report from Allianz and the chatter dominating Davos 2020 also further highlight the intensified focus on data security and privacy issues, which have placed cybersecurity as the number one risk factor facing businesses around the world today.
If passed, the stricter data privacy proposals would dramatically impact how companies in Hong Kong manage their data and the ever-present risk from data breaches. However, few businesses here, or for that matter globally, are in a position to live up to these new requirements while also ensuring the protection of their brand and reputation.
The newly proposed regulation puts companies headquartered or operating in Hong Kong at the cutting edge of this issue, and demands they devise a clear communications process before they have all the facts in place in the event of a cyber-attack.
Former executive chairman and CEO of Cisco Systems, John Chambers, noted that there are two types of companies today—those which have been hacked, and those which don’t know they have been hacked. Unless companies have made thorough advance plans, five days is an improbable timeline to allow for a response that does not risk serious reputational damage.
This is not a communications challenge that can be addressed overnight or even within the mandated five-day window. All scenarios and protocols must be anticipated and put in place months in advance if a company is going to meet these new legal requirements as well as meet its responsibilities to its stakeholders.
Ahead of any breach, it is vital that the internal legal, IT, and communications departments take part in extensive planning across all parts of the company. Crucially, company leadership must immediately be activated to lead a massive customer, employee and corporate stakeholder communications effort in order to retain trust from multiple audiences while meeting the proposed compliance obligations required within the five-day timeframe.
These are not actions that can be left to the last minute. A well-planned and coordinated communications process must be ready to report the incident, the results of any initial investigation, impact on stakeholders and to begin remediation from the get-go. They must do this while also working to retain reputational capital and brand trust.
Edelman’s Trust Barometer has found widespread public mistrust of technology, the sector that has, in previous years, consistently been the most trusted of all business sectors. Six in 10 of the global population now say the pace of change in technology is too fast, and the same number (61%) believe governments don’t understand emerging technologies enough to effectively regulate them.
Hong Kong’s proposed update of data protection laws has raised the stakes for preparedness, but in order to maintain trust levels this competence must also be accompanied within an ethical framework that is driven from the top. Without these two distinct considerations (which define competence as “getting things done” and ethical behavior as “doing the right thing and working to improve society”), trust for an organisation is limited.
A data breach is essentially a breach of customer trust, but if companies can prepare for the worst, they can protect themselves now rather than face a series of fines, fees and a lifetime of diminished trust in their brand and reputation.
Adrian Warr is the CEO of Edelman Hong Kong and Taiwan, Market Growth Thailand.