Who Is Influencing the #GDPR Discussion on Twitter: Implications for Public Relations
Total Page:16
File Type:pdf, Size:1020Kb
Proceedings of the 53rd Hawaii International Conference on System Sciences | 2020 Who is Influencing the #GDPR Discussion on Twitter: Implications for Public Relations Anatoliy Gruzd Deena Abul-Fottouh Atefeh (Atty) Mashatan Ted Rogers School of Management Faculty of Information (iSchool) Ted Rogers School of Management Social Media Lab University of Toronto, Canada Cybersecurity Research Lab Ryerson University, Canada [email protected] Ryerson University, Canada [email protected] [email protected] Abstract Organizations have to report any data breaches related to user privacy within 72 hours. If an organization found On May 25, 2018, the European Union (EU) to be non-compliant, it may face a steep penalty (up to implemented the General Data Protection Regulation 4% of the annual worldwide net sales or up to €20mm, (GDPR) to protect individuals’ privacy and data. This whichever is greater).While only in effect since May regulation has far-reaching implications as it applies to 2018, GDPR has already impacted many organizations any organization that deals with data of EU residents. and how they conduct business online and offline [39], By studying the discussion about this regulation on including organizations that extensively collect and Twitter, our goal is to examine public opinions and process personal data for their services and that largely organizational public relations (PR) strategies about base their business on such data in the areas of social GDPR. The results show that the regulation is being media, healthcare, mobility and financial services [58]. actively discussed by a variety of stakeholders, but The International Association of Privacy especially by cybersecurity and IT-related firms and Professionals estimates that Fortune's Global 500 consultants. At the same time, some of the stakeholders companies will spend close to $8 billion to guarantee that were expected to have a more active role were less compliance with the GDPR, and that at least 75,000 involved, including companies that store or process privacy jobs will be created worldwide as a result of the personal data, government and regulatory bodies, regulation [46]. This is because many organizations mainstream media, and academics. The results also have to create new positions to ensure ongoing show that the stakeholders mostly have one-way rather compliance with the regulation: from hiring a Data than two-way communication with their audiences, thus Protection Officer to conducting internal privacy impact fulfilling the rhetorical than relational function of PR. assessments, to having a team of developers redesign information systems in order to ensure maximum privacy protection. Organizations also have to 1. Introduction implement mechanisms to collect users’ consent and process users’ requests to access, delete or correct their On May 25, 2018, European Union (EU) has own data. implemented the General Data Protection Regulation Organizations might have to turn to third party (GDPR) with the main goal to protect individuals’ vendors or build in-house capabilities to secure their privacy and data [22]. And even though the regulation’s digital infrastructure and follow security best practices, jurisdiction is only over the European Economic Area, which may involve staff taking appropriate it has far-reaching implications for organizations cybersecurity training and information security outside EU as well. This is because the GDPR covers certification such SOC2 or ISO27001 [12]. Finally, any organization that stores or processes data of EU organizations may need to seek legal experts who are residents, even if it is located outside EU. One of the knowledgeable in issues related to GDPR compliance to main provisions of GDPR is that organizations update current legal documents such as privacy policies (controllers and processors of personal data) must use or in case of legal trouble. Considering the complexity effective safeguards to protect individual’s data (for and resources required to become and stay compliant example, by anonymizing records). Furthermore, with GDPR, it is expected that small- and medium-sized following the privacy-by-design concept [10], GDPR enterprises (SME) would face the most challenges in calls organizations to ask for users’ explicit consent this area, especially information-intensive SMEs that before collecting their data, and once collected, to use drive their revenue growth from online advertising [57]; the “highest-possible” privacy settings by default. while larger organizations with larger budgets may view Under GDPR, individuals (i.e., data subjects) now also this challenge as an opportunity to achieve a competitive have the right to request a copy of their data collected advantage [12]. by an organization or request their data to be deleted. URI: https://hdl.handle.net/10125/64061 978-0-9981331-3-3 Page 2619 (CC BY-NC-ND 4.0) As the implementation of this ground-breaking various categories of stakeholders who engage on regulation is affecting multiple stakeholders, it swiftly Twitter. became a worldwide topic of interest. Its implications are discussed in various venues [17] and especially on 2.2. Expected stakeholders on Twitter social media. The present study aims to contribute to the public relations (PR) literature by examining public Considering the prevalence of digital enterprise opinions around GDPR shared on Twitter with the across different sectors, we expect a wide range of primary goal of identifying social media influencers on different stakeholders to engage in discussions on this topic and the PR functions they fulfill through Twitter, including: consumers, customers and members participating in the #GDPR hashtag. In doing so, we aim from the public whose data is being collected by third to highlight how organizations and major stakeholders parties, businesses affected by this regulation manage their public relations’ strategies on social media (controllers and processors of personal data), businesses at times of implementing a new policy regulation, an offering GDPR compliance services (from legal advice area that we believe has not gotten much attention in to digital services), government agencies (e.g., data PR-related research. protection and information privacy offices), and news media (considering the significance of this regulation). 2. Literature review This section briefly reviews the previous studies to determine whether and how the above-mentioned stakeholders use Twitter in general. We will use this 2.1. PR and social media influencers information to contextualize our results when analyzing the actual influencers engaged in the #GDPR This work contributes to the growing body of PR conversations on Twitter later in the paper. literature related to social media usage by organizations Consumers and customers: Social media platforms including studies that examined how organizations use have become hubs for consumers and customers to seek social media to communicate and influence their target information about brands, products, and services, rate audiences and other stakeholders [19], how different them, and communicate their experience with these managers use social media for PR [11], how non-profit products [13]. By following a brand’s social media advocacy organizations make their voices heard on account, consumers may subscribe to the latest updates social media [31], and how an agreeable corporate and discounts shared by the brands [50]. Consumers character enhances public engagement and also use social media to recount their consumption organizational public relations on social media [47]. choices and sometimes to complain about a product or While not directly, our work also expands the Social- service [6]. Thus, social media has increasingly changed Mediated Crisis Communication model [36], originally the role of the public from passive receivers of proposed to guide organizational responses on social information to active opinion shapers [60]. media during a crisis, to include cases of how social Businesses: Organizations consider public involvement media can be used for public relations during the with stakeholders an integral part of their PR strategy implementation of a far-reaching regulation, such as [56]. As more and more people are joining various GDPR. social media platforms and publicly sharing their We also build on the early work related to the role opinion about events, products and services, an of social media influencers in PR campaigns. Social increasing number of CEOs and companies are also media influencers are prominent individuals or turning to these platforms to market their products and organizations who set agendas and can sway others [38]. services, engage with customers and understand their These are experts, celebrities, micro-celebrities, early needs as well as conduct competitive intelligence [35, adopters, market mavens, enthusiasts and others [43], 40]. As of 2015, over 96% of businesses use social who are capable of starting a viral spread of information media to market their brands [55]. Many companies also and memes in social media [66]. Social media view social media as a platform for building reputation influencers are thus considered a vital capital for and trust with their stakeholders, including current and organizational public relations [18]. Consequently, prospective customers [49]. monitoring and integrating the influencers become one Governments and regulators: Social media platforms of the most important PR strategies on social