Responsible investment

Data privacy: Trust is hard earned, easily lost

Key points:

  • Personal data is arguably the commodity of the 21st century. Over the past two decades, the monetization of personal data has fueled the rapid growth of internet-based technology companies. Today, as individuals, we boast a huge digital presence, with the web awash with approximately 2.5 gigabytes of personal information each.[1]
  • Personal data presents a significant opportunity for many technology companies - but equally, it is an increasingly important concern for customers. Controversies over companies mishandling personal data has meant increasing scrutiny for firms, especially major tech companies. Negative news coverage will only increase if companies fail to robustly address these concerns.
  • This research paper assesses the fine line that separates success and failure, in terms of companies’ personal data management practices. User trust is the number one currency - and while it’s hard earned, it is also easily lost.
  • Our findings will underpin our engagement on this issue in 2020 and we detail our engagement framework on the data privacy issue.

The monetisation of personal data has arguably been one of the major drivers behind the rapid growth of the technology industry, especially for the likes of Google and Facebook. But industries worldwide have woken up to the potential, and value, of personal data - and that of customer trust. It’s estimated that the personal data market could generate $500bn by 2024[2]. And in our view, this represents a major opportunity for investors – provided individual privacy rights are protected.

On the other hand, companies exposed to the processing of personal data are more and more at risk. This is due to stricter regulation around data privacy, such as the European Union’s General Data Protection Regulation (GDPR) which came into force in May 2018. In the first year of GDPR implementation more than 140,000 queries and complaints were made to data protection authorities[3], highlighting the vast extent to which citizens care about how their personal data is being used.

Responsible company practices around personal data management is a key component of success and resilience. As a global asset manager with extensive investments in the technology sector, we believe that we can have a positive role to play in encouraging good data privacy practices. It is also one way to benefit from the opportunity of the personal data revolution but also to mitigate the risks. Our research seeks to understand the nature of corporate practices so that we can best identify the winners from the losers.

The materiality of data privacy for companies and investors

As it stands, when it comes to data privacy practices, it is not easy to differentiate between firms with good and bad practices. In fact there is surprisingly little comparable information available on this issue which is so financially and reputationally material to companies, investors and customers. This is in part due to the inconsistent quantity and quality of transparency around data privacy issues. Our research found that 75% of companies in the MSCI All Country World Index (ACWI) do not actually provide evidence of personal data usage minimization[4].

To help us identify the companies where this issue is particularly relevant, we looked at the following factors:

1. Business activities

Data privacy issues impact any and every company which is exposed to the collection, handling and processing of personal data.

Table 1. Industries for which data privacy is material[5]

Unsurprisingly, tech firms tend to be the main focus when it comes to data privacy, but the scope of sectors for which it is a material issue is far broader. Using the Sustainability Accounting Standard Board’s (SASB) Materiality Map[6], we identified the sectors which are at most at risk of being financially and reputationally impacted by data privacy risks and opportunities.

Within these industries, data privacy should be a concern for everyone – from the employee, i.e. the “user” of personal data, to top management, who are responsible for the governance of personal data processing.

2. The user standpoint: A key part of responsible data privacy practices

Individual users are at the heart of data privacy issues and challenges. They are looking for value - in the form of products or services - in exchange for the collection and use of their personal information. Simultaneously, they are very concerned by their right to privacy but their trust in companies remains a major concern. In our view, responsible data privacy practices, leading to customer trust, are the missing part of this equation. Therefore, the responsible processing of personal data represents a competitive advantage for businesses.

According to studies and surveys we reviewed[7],[8], the level of importance granted to data privacy by users varies, depending on three factors:

Geographic region

Data privacy appears as a major concern in western countries - and especially in Europe – while Chinese and Indian people seem to be more comfortable with firms collecting and handling their personal information (figures 2 and 3). Therefore, companies doing business in mature markets appear to be more exposed to data privacy risks than those operating in emerging economies.

Figure 2. Regional differences on feelings about data handling[9]

Figure 3. Regional and data-type differences in feelings about data handling

Type of data collected

Users place different values on the types of data provided, and the more sensitive the data collected - e.g. payment or personal health information - the more companies are at risk.

Generation of customer base

Users’ attitudes to personal data also differ by age. As shown in the table below, companies targeting younger generations can obtain easier consent and trust from customers to process their personal data, whereas older generations are more reticent.

Figure 4. Generational difference in feelings about data handling[10]

However, individuals are not necessarily opposed to sharing data with companies. As highlighted in figures 2 and 4, a significant number of people are comfortable with the processing of their personal data by companies. But customers are expecting to be rewarded in exchange for their personally identifiable data. Looking beyond “the simplistic notion that aggressive data collection is bad”[11], personal data processing – with the proactive consent of individuals – can also lead to win-win situations for companies and customers.

According to Accenture[12], two-thirds of consumers are willing to share their personal information in exchange for some perceived value, and three-quarters would provide their date of birth for a deal or offer. Similarly, one in four consumers is willing to share personal data in exchange for a better level of service or the ability to choose which data can be shared with third-party business partners.

Trust me with your data

Google and Facebook’s success is linked to the continued involvement of a growing number of users and the sharing of their personal information. These companies do not differentiate between a paying customer and a non-paying one – the “free customer”[13]. By doing so, tech companies are seeking to make themselves indispensable to as many people as possible. Personal data processing is key here in terms of enhancing people’s user experience. Revenue is earnt through targeting and personalisation.

Data processing enables new pathways to value creation and large-scale customisation, which are at the heart of gaining and retaining customers. The collection of personal data creates a deep knowledge of users’ preferences, which is key in creating and delivering sustainable customer value.

We believe the key factor in making the data opportunity sustainable is ultimately customer trust. After all, if companies obtain and maintain users’ consent in processing their data and provide value to them in exchange for their personally identifiable information, data will remain on the opportunity side.

Responsible data privacy practices will enable companies to benefit even more from the data opportunity. Customer trust is at the heart of what can be described as the virtuous circle of responsible data privacy practices. Responsible and transparent personal data collection and usage will drive individuals’ trust. This should help a firm bolster its customer base, and in turn they may be even more willing to share information (see figure 5). Based on the premise that personal data is a growing source of competitive advantage, companies stand to gain from responsible data privacy practices as they build and maintain customers’ confidence.

However, the data opportunity rests on transparency towards individuals. What we just described only works when customers give their consent on personal data processing and have the knowledge of the type of data that is collected and how it is used. Simply providing them with the terms and conditions is insufficient. That is why the boundary between the upsides and downsides related to data privacy is narrow.

Figure 5. Customers' trust is key in sharing personal data [14]

Blurred boundary

The edge of this boundary lies in customers’ knowledge and active consent around these issues. When customers are not aware of this, companies are highly exposed to data privacy risks.

Figure 6[15] shows what marks the difference between data opportunity and data risk. The area highlighted in yellow corresponds to the type of data and usage for which the opportunity can turn into risk. This is where breaches in customer trust can happen. Data privacy risks are higher when:

  1. Personal data that is collected is the most sensitive, and the more it is processed by companies – i.e. profiling data
  2. The use of personally identifiable information only benefits the company at the expense of customers who do not get value in exchange of their personal data – i.e. selling to third parties

The role of third parties is central in defining the boundary between data opportunity and data privacy risks. Companies need to assess to what extent their data processing practices are risky in terms of data privacy. And investors should pay attention to whether data privacy policies apply to business partners and third parties.

Figure 6. The limit between data privacy opportunities and risks

According to studies[16], over the short term, the market often tends to shrug off data privacy related incidents. For instance, the share prices of companies that have been hit by data privacy controversies typically return to their previous level quite quickly. However, in the long term, multiple breaches could have a detrimental impact on a company. We identified three key categories of data privacy risks, that are highly linked to regulation becoming stricter:

  • Regulatory risk: Companies exposed to data privacy issues could face high costs and fines if they breach regulations
  • Operational risk: Stronger regulation on data privacy could potentially lead to forced changes in business models – especially for firms such as Google, Apple, Facebook and Amazon
  • Reputational risk: The fast-evolving data privacy environment means higher public scrutiny around related issues, which could result damaging customer trust.

The game-changing GDPR
The European Union (EU)’s General Data Protection Regulation (GDPR) was designed to harmonise data privacy laws across Europe and came into force in May 2018. GDPR is meant to protect and empower all EU citizens around data privacy, and to reshape the way organisations across the bloc approach data privacy.
Every company operating in the EU which collects and handles personal data is liable and is exposed to penalties for breaches of up to €20m or 4% of global revenues - whichever is higher. Therefore, this means that individuals will get:
- Easier access to their personal data
- A right to have their data deleted
- A right to the portability of personal data from one company to another
Internally, firms will have to report to the regulator on any privacy incident within 72 hours, to record their data-handling activities and to appoint a Data Protection Officer, among other requirements. In addition, GDPR brings the concept of “privacy by design”, i.e. limiting personal data usage to targeted objectives.
Beyond the EU
There is less momentum for data privacy regulation in the US than in Europe. However, a survey[17] found that 66% of US-based internet users said they would support laws like GDPR. This indicates some desire for a greater control of US individuals over the use of their personal data by companies.
Outside of the EU, other data privacy regulations include:
- California Consumer Privacy Act (CCPA)
- Singapore Personal Data Protection Act 2012 (PDPA)
- Brazil General Data Protection Act
In total, around 120 countries globally have adopted some data privacy-related regulation and 40 more have pending regulations.

Assessing company practices

To understand companies’ existing practices, we conducted an analysis of companies in the MSCI ACWI that are materially impacted by data privacy issues according to SASB (see table 1). We used data from MSCI Environmental, Social and Governance (ESG) research.

We focused on a sub-set of 500 companies for which the MSCI ESG data privacy and security issue weighting is higher than 10% - and where the sector is considered as materially vulnerable to data privacy issues, as defined by the SASB.

We looked at how corporations are dealing with data privacy on two topics for which data is available - the highest level of responsibility for data privacy and the scope of data privacy policy.

Three main observations can be made from our analysis:

  1. There is a lack of transparency and disclosure around data privacy - and as investors, it is difficult to sufficiently separate companies with good or bad data privacy practices
  2. For firms that disclose on these topics, only a minority is in line with what are considered best practices
  3. Companies with revenues highly exposed to personal data processing are not in line with good data privacy practices

Encouragingly however, we are glad to see that companies facing high regulatory risks are above average in terms of data privacy governance and policies.

Positive practices our research identified include:

  • Companies that are transparent in their disclosure on rules and policies applied to the processing of personal data and towards customers on these policies, as well as the way their personal data is used. This point is closely linked to the opportunity related to customer trust and retention. We would favour firms that are being open and transparent about personal data activities instead of keeping individuals and investors in the dark and choosing control over sharing.
  • Data collection minimisation - companies that collect only a reasonable and relevant amount of personal data. It should be useful to the business model and rely on the customers’ consent, instead of handling a huge amount of data that have no immediate use, reasoning that it might be valuable someday.
  • Privacy by design: Companies that are exposed to data privacy issues should guarantee the highest level of privacy protection by default. This means that firms should:
    • Implement proactive data privacy measures and policies
    • Automatically protect users’ privacy
    • Integrate data privacy at the roots of systems and practices
    • Ensure transparency and visibility around personal data collection and usage
    • Prioritise individuals’ interest regarding their personal data

Investor engagement playbook on data privacy

The insights from this research shape our engagement activities with companies exposed to data privacy issues. We plan to conduct further extensive engagement on this issue in 2020.

We prioritise engagement with companies:

  • Operating in sectors where data privacy risks are material
  • With weak practices and a lower level of transparency and disclosure around data privacy
  • Earning a higher share of revenues involving personal data processing
  • Facing lower legal requirements than EU GDPR

Our key engagement recommendations include pressing companies to:

  • Improve transparency and disclosure around data privacy practices
  • Establish organisational structure and ensure sufficient resourcing to understand data privacy risks which they face
  • Ensure that the issue is robustly overseen by the board and senior executives
  • Implement leading data privacy policies and management practices
  • Adopt a single global approach on data privacy where possible - and if not, explain why they have had to adopt varying jurisdiction-by-jurisdiction standards of data privacy
  • Report on compliance with GDPR and data privacy performance

[1] A new slice of PII, with a side of digital trust; Accenture; 2017

[2] World Economic Forum

[3] GDPR in Numbers, EU Commission, 05/2019

[4] The Data Abyss, MSCI, 07/2018

[5] Source - SASB & MSCI


[7] Columbia Business School – What is the future of data sharing? (2015)

[8] Customer Data: Designing for Transparency and Trust, Harvard Business Review, 05/2015

[9] Source: Columbia Business School

[10] Source: Columbia Business School

[11] Customer Data: Designing for Transparency and Trust, Harvard Business Review, May 2015

[12] A new slice of PII, with a side of digital trust; Accenture; 2017

[13] Fabernovel, GAFAnomics: New economy, New rules, 10/2014

[14] Source: Columbia Business School

[15] Customer Data: Designing for Transparency and Trust, Harvard Business Review, 05/2015

[16] Kepler Cheuvreux, Dominant Data, 05/2018

[17] Akamai Research: Consumer Attitudes Toward Data Privacy Survey, 2018


Not for Retail distribution: This document is intended exclusively for Professional, Institutional, Qualified or Wholesale Clients / Investors only, as defined by applicable local laws and regulation. Circulation must be restricted accordingly.

This document is for informational purposes only and does not constitute investment research or financial analysis relating to transactions in financial instruments as per MIF Directive (2014/65/EU), nor does it constitute on the part of AXA Investment Managers or its affiliated companies an offer to buy or sell any investments, products or services, and should not be considered as solicitation or investment, legal or tax advice, a recommendation for an investment strategy or a personalized recommendation to buy or sell securities.

Due to its simplification, this document is partial and opinions, estimates and forecasts herein are subjective and subject to change without notice. There is no guarantee forecasts made will come to pass. Data, figures, declarations, analysis, predictions and other information in this document is provided based on our state of knowledge at the time of creation of this document. Whilst every care is taken, no representation or warranty (including liability towards third parties), express or implied, is made as to the accuracy, reliability or completeness of the information contained herein. Reliance upon information in this material is at the sole discretion of the recipient. This material does not contain sufficient information to support an investment decision.

Neither MSCI nor any other party involved in or related to compiling, computing or creating the MSCI data makes any express or implied warranties or representations with respect to such data (or the results to be obtained by the use thereof), and all such parties hereby expressly disclaim all warranties of originality, accuracy, completeness, merchantability or fitness for a particular purpose with respect to any of such data. Without limiting any of the foregoing, in no event shall MSCI, any of its affiliates or any third party involved in or related to compiling, computing or creating the data have any liability for any direct, indirect, special, punitive, consequential or any other damages (including lost profits) even if notified of the possibility of such damages.  No further distribution or dissemination of the MSCI data is permitted without MSCI’s express written consent.

Issued in the UK by AXA Investment Managers UK Limited, which is authorised and regulated by the Financial Conduct Authority in the UK. Registered in England and Wales No: 01431068. Registered Office: 7 Newgate Street, London EC1A 7NX.

In other jurisdictions, this document is issued by AXA Investment Managers SA’s affiliates in those countries.