Using digital policies to maximize opportunities and minimize risks

Register now

The following is excerpted with permission from the new book, The Power of Digital Policy: A practical guide to minimizing risk and maximizing opportunity for your organization, by Kristina Podnar.

Chapter two: Risks and opportunities in a brave new world

How did we get here?

In an environment where some companies still have policies requiring employees to bring in doctor’s notes when they’ve been sick, I often wonder how we’ve given so little thought to policies for guiding our online activities.

I blame it on the breathtaking speed of the digital revolution and the disruption it caused. Nobody wanted to be left behind, so we all took a “Do the best we can now and figure out the rest later” approach. We just didn’t know that “later” would be 20 years away.

In addition to being somewhat passive about responsible digital management, we’re also living in a time of significant disruption. You might be awakened to the need for digital policy by receiving a letter indicating your website is inaccessible to those with disabilities (a potential lawsuit), your company is being acquired (due diligence is imminent), or some other disrupting event stares you in the face.

The evolution of digital risk

In 1998, I was working at a web design agency creating websites primarily for nonprofits. We were unique in this space, operating at a very exciting time—when the internet was just taking off.

Because it was such early days, innovation was everywhere, and there were no rules. We created anything that seemed exciting and new—anything that would put our clients on the map. That included prototypical content management systems: the tools that allow non-technical people to create web pages and publish content.

As a project manager, I had many different hats in my wardrobe and switched them out as needed—often multiple times per day. My role was similar to that of today’s webmasters. Not only did I collaborate with clients to structure their projects, I also worked with designers creating graphics in Photoshop, wrote Hypertext Markup Language (HTML), tested the website functionality—including the all-important ability to make donations or pledges—and transferred files to the web server via File Transfer Protocol. It was a heady time. I was creating and redesigning websites for well-known organizations like International Committee of the Red Cross, UNICEF, St. Jude Children’s Research Hospital and Emily’s List.

Not only was the web a free-for-all of creativity, limited only by what we could think up, but it was also a time when management and most clients knew little about it. But they were delighted by pretty designs and the opportunity to raise awareness and funds via this new communications channel.

But the laissez-faire attitude of the times resulted in many fiascos. In hindsight, they might appear humorous—until you grasp how immense the consequences could have been. I remember the Saturday I sat down to relaunch a new client’s website but instead accidentally overwrote all of the files. The client was without a website for over six hours while I frantically worked to recreate the files (to this day, I don’t think they ever knew).

But there’s always “what could have happened.” While this may seem shocking today, we had no backup strategy—short of renaming old files index.html.backup. Server passwords were shared every Monday at a meeting so that we could all access the servers and client files as needed. We sent clients’ payment card numbers to the bank with no encryption whatsoever, and we never gave it a second thought.

Today, of course, such behavior could be grounds for dismissal, and would likely lead to closed-door sessions with in-house counsel. However, such hyperawareness gives the impression that we’ve matured a lot more than we really have in practice. While it may seem that we’ve come a long way, the reality is that equivalent behavior—and worse—is still happening, but with far worse consequences than two decades ago.

Today’s digital landscape

From headlines to Twitter storms

Despite ubiquitous news stories about data breaches or the embarrassing aftermath of corporate social media gaffes, very few organizations today weigh their digital activity in the context of risks and opportunities, putting associated policies in place to support their
online operations.

Most businesses either have few policies or none at all. If they’re lucky, they’ll have some privacy and branding guidelines, but digital activity is being carried out with minimal consideration for legal and regulatory requirements or for the risks and opportunities that are
inherent in online activities.

Whether it be websites, social media accounts, mobile applications, customer relationship management tools, email marketing platforms, artificial intelligence and chatbots, or any other type of digital presence, the vast majority of organizations are still winging it.

In fact, in my two-decade career, I have seen far too many organizations— especially multinationals—winging it or operating without policies that clearly state the organization’s boundaries around digital. They don’t formalize what should and should not be done to protect the organization and maximize its return on the digital investment.

The inevitable result: Digital workers make their own decisions. They have the best of intentions but are completely out of alignment with organizational objectives. And that can easily result in lawsuits, social media firestorms, regulatory penalties, loss of brand value, and falling market share.

Ease of market entry

On the other end of the spectrum are our smallest businesses. The digital revolution has obliterated many old school barriers to market entry. Now, anybody with an internet connection can set up an online business—no prior experience or investment in infrastructure is required.

It’s so easy that many people forget to think about things like digital policies and regulations—until circumstances catch up with them. Even tiny, online-only businesses still have to play by the rules, and many of them don’t have the resources to recover from a misstep.

What are digital policies?

Digital policies are the antidote to the things that can go wrong when organizations make up the rules as they go along. They’re the rulebook for your business’s online activity, describing what you will and will not do.

Effective digital policies:

  • Are simple, clear statements on how your business will conduct its digital operations
  • Provide a level of detail that translates the digital strategy into actions
  • Are based on your business’s culture, beliefs, goals and objectives
  • Address all applicable laws and regulations—both international and local
  • Provide necessary guidance to support all digital workers—employees, vendors, contractors, etc.

But don’t get too caught up in the label. Some organizations refer to policies as directives, others prefer to classify them as standards, and others simply call it guidance. And some small businesses simply frame it as “the way we do things around here.”

Personally, I subscribe to the hierarchy defined by Lisa Welchman in her book Managing Chaos: Digital Governance by Design. That hierarchy is Strategy / Policy / Standard. Namely, there must be a strategy to guide your digital efforts, and from there we can derive policies (the what to do and not do) and standards (how to do it).

However, if your organization isn’t yet digitally mature enough to make this distinction, or your culture and corporate tradition dictate different terminology, go with it. Having policies that are used is more important than what they’re called.

Why are digital policies important?

In a nutshell, digital policies help you take full advantage of the opportunities available in the digital world while reducing the risks associated with online missteps.

Organizations today operate in a world where mistakes are easy to make, are extremely hard to hide and can lead to serious consequences.

Our digital world is full of websites, mobile applications and customer relationship management tools (all of which easily cross the national boundaries that used to help us maintain an orderly marketplace). So I have to wonder why we expect this world to barrel full steam ahead without any guard rails.

I think it’s because many businesses try to avoid the issue for as long as they can. They start talking about digital policy development when and because they have to, not because they see the value in being proactive.

It’s not hard to understand why. Nobody wants to read through pages and pages of legalese, especially when they’ve got work piling up. And then there’s the fact that we humans seem designed to look at rules with disdain—if not outright rebellion. We don’t like being told
what to do.

But that understanding doesn’t remove the risks. A clear understanding of the risks involved in not having digital policies tends to be the final alarm that motivates organizations. We need to accept that tackling digital policies tomorrow may be too little, too late.

Why develop digital policies?

For starters, lawsuits, data breaches, regulations, and social faux pas… oh, my!


Lawsuits are becoming increasingly common—perhaps that’s not surprising. But what is surprising is how many organizations being sued were unaware of the risks they were taking.

Take website accessibility, for instance. In the US, it’s mandated by the Americans with Disabilities Act. In 2017, plaintiffs filed at least 814 federal lawsuits alleging inaccessible websites (including a number of putative class action suits). As of August 2018, we’ve seen at least 437 lawsuits filed, and the final number will likely exceed that of 2017. Organizations named in the filings include well-known brands—Domino’s Pizza, Winn-Dixie Stores, Hobby Lobby, Nike, 24 Hour Fitness, De Beers, Barneys, Donna Karan…

Data breaches

Nearly every week, we see headlines about data breaches affecting millions of consumers of the most well-known brands in the world. While Facebook’s Cambridge Analytica data breach fiasco dominated headlines, it was just the tip of a massive iceberg. Data from 125,000 credit cards was stolen from Saks Fifth Avenue and Lord & Taylor, and the data of almost 150 million consumers was stolen as part of the mid-2017 Equifax breach.


Global organizations face extra, incredible challenges when it comes to complying with all applicable laws and regulations. The European Union’s (EU’s) General Data Protection Regulation (GDPR), which came into effect on May 25, 2018, requires stronger protections for the private data of all residents of the EU and European Economic Area (EEA).

One of GDPR’s tenets is that personal data is owned by the individual, not by the organizations that hold the data. It also specifies that personal data may not be removed from member nations without appropriate protections in place and, in some instances, not at all (which may not seem like a big deal until you think about the proliferation of cloud services).

But the EU/EEA is not a federal system; it’s still 31 separate countries. Application of GDPR into the local laws and actions of national regulators is inconsistent. Some regulators show an understanding of business realities (e.g., the U.K.), while others are building additional
complications on top of GDPR’s minimum bar (e.g., Germany).

On the heels of GDPR, we have seen the California Consumer Privacy Act of 2018, which has kicked off the rolling, U.S. state-specific regulatory requirements for consumer data protection across the digital realm.

While this might seem like a new requirement, it comes on the heels of Russia’s data localization law that came into effect on September 1, 2015. Other countries, including South Africa, have joined the call for increased digital privacy with laws that mirror the GDPR (the South African version is called the Protection of Personal Information Act). And, in early 2018, China announced additional restrictions on the collection and transfer of personal data.

And those aren’t the only regulations to worry about. For example, YouTube was alleged to be collecting personal data on preteens, which is illegal under the Children’s Online Privacy Protection Act. Moreover, weeks after the YouTube news came research alleging thousands of Android apps were likely violating the same law.

Social faux pas

Fines, lawsuits, and operational disruptions aren’t the only risks. Plenty of companies have faced public ridicule and loss of credibility due to digital missteps.

Here are but a few examples:

  • In April 2018, while riding a bike on her own time, Juli Briskman was photographed from the back by a White House journalist as she raised her middle finger to President Trump’s motorcade. The photo was picked up by the media, and Ms. Briskman then shared it on several social platforms in addition to making it her Facebook background. Her employer, Akima, is a government contractor and, fearing repercussions, forced Ms. Brisman to resign. Her firing resulted in a lawsuit as well as a social media backlash—both of which could have been avoided had there been clear policies in place regarding employees’ social media behavior.
  • The popular discount service Groupon issued an apology in April 2018 after discovering a racial slur in product descriptions—a Chinese third-party shoe vendor likely failed to understand the true meaning of the word it chose. The apology did little to make up for the online outrage and negative press to the brand.
  • The fast food restaurant Chipotle ran into technology scalability issues during a 2018 free guacamole promotion. The chain’s mobile application and website crashed under heavy customer demand; the company’s social media team was hard pressed to contain the Twitter backlash, causing the company to extend the offering by an additional day.
  • Former cricketer Imran Khan won Pakistan’s 2018 prime ministerial election, but the BBC confused him with another famous cricketer (Wasim Akram) in a clip and Twitter posting. The gaffe quickly went viral with many online users slamming the news network for its ignorance and asking if “all brown people look the same” to the British broadcaster.

But do small businesses really need digital policies?

Yes. For one thing, lawsuits against small business aren’t unheard of—remember the bakery that was sued for refusing to make a wedding cake for a same-sex couple? In fact, for plaintiffs who are more interested in righting perceived wrongs than in monetary compensation, smaller businesses can be much easier targets than large corporations.

Another reason small businesses need digital policies is because employees tend to wear multiple hats, tackling projects that fall outside of their areas of expertise simply because somebody has to do it. Having policies that outline the who, what, where, when, how and why results in a more consistent—and more reliable—digital presence.

Should startups follow the same path as small businesses?No. Let’s begin with where you think you are. You and a handful of associates have launched a small startup that’s pinned its growth on the development of a promising product or service. If your offering fulfills your expectations, your company could, in just a few short years, be shopping for a financial partner and growing significantly or even be faced with an outright acquisition.

Unlike a small business, your goals are not to operate as a small business forever, but rather to morph into something bigger. As your company evolves and grows, you’ll also need to consider how the composition of your online presence—your digital assets and channels—will need to change. In addition, you must consider what policies are appropriate at the time.

While as an early–stage startup, you might find yourself at the Starter level of digital policy maturity: the reality is that you should mature over time, not opt for the same policies that apply to a small business.

Making the case: Digital policies deliver benefits beyond protection

Early in this chapter, I described how lax things were in the early days of the internet. We made mistakes due to the overall lack of maturity in the digital space—and we often ignored them for the same reason.

But now, legal and regulatory bodies have introduced new rules, and the public is savvier. And thanks to near-universal, instant access to social media, digital slip-ups and online “oops” moments are harder to hide. The risks to business are now too large to ignore. Organizations now must balance the opportunities of having an online presence against the risks.

However, risk mitigation isn’t the only driver of digital policies. When thoughtfully developed and implemented, digital policies can deliver benefits beyond protecting your business from risk:

  • Identifying new opportunities for engaging with your markets—and even creating new ones
  • The ability to engage your customers wherever they are (YouTube, Instagram, etc.)
  • Creating competitive advantage by setting a digital standard that competitors can’t match
  • Making sure that your company’s efforts in the digital realm are aligned with your strategic business goals
  • Eliminating the repetitive work that occurs when employees constantly have to ask for permission or guidance (which also frees them to focus their efforts on being more creative)
  • Shortening approval cycles
For reprint and licensing requests for this article, click here.