A Path Towards Trust


Be-it users stepping away from the world’s biggest social media platform, a major airline’s share price plummeting after a large data breach, or Australia’s largest bank committing to a stronger focus on privacy and security – events in recent weeks provide a strong reminder of the fragility and critical importance of trust to businesses seeking success in the digital economy.

Bodies as illustrious as the World Economic Forum and OECD have written at length about the pivotal role of trust as a driving factor for success today.

But what does trust actually mean in the context of your organisation? And how do you practically go about building it?

A good starting point for any organisation wanting to make trust a competitive differentiator is to gain a deeper understanding of what trust actually means, and specifically, what it means for it.

Trust is a layered concept, and different things are required in different contexts to build trust.

Some basic tenets of trust become obvious when we look to popular dictionaries. Ideas like safety, reliability, truth, competence and consistency stand out as fundamental principles.

Another way to learn what trust means in a practical sense is to look at why brands are trusted. For instance, the most recent Roy Morgan survey listed supermarket ALDI as the most trusted brand in Australia. Roy Morgan explains this is built on ALDI’s reputation for reliability and meeting customer needs.

Importantly, the dictionary definitions also emphasise an ethical aspect – trust is built by doing good and protecting customers from harm.

Digging a little deeper, we look to the work of trust expert and business lecturer Rachel Botsman, who describes trust as “a confident relationship with the unknown”.  This moves us into the digital space in which organisations operate today, and towards a more nuanced understanding. We can infer that consumers want new digital experiences, and an important part of building trust is for organisations to innovate and help customers step into the novel and unknown, but with safety and confidence.

So, how do we implement these ideas about trust in a practical sense?

With these definitions in mind, organisations should ask themselves some practical and instructive questions that illuminate whether they are building trust.

•       Do customers feel their data is safe with you?

•       Can customers see that you seek to protect them from harm?

•       Are you accurate and transparent in your representations?

•       Do your behaviours, statements, products and services convey a sense of competence and consistency?

•       Do you meet expectations of your customers (and not just clear the bar set by regulators)?

•       Are you innovative and helping customers towards new experiences?


Two specific areas of practice that have major implications for trust are regulatory compliance and reputation management.

Regulatory compliance

Privacy laws and regulatory guidance provide a pretty good framework for doing the right thing when it comes to trusted privacy practices (otherwise known as, the proper collection, use and disclosure of personal information).

Every entity bound by the Privacy Act 1988 and equivalent laws should be taking proactive steps to establish and maintain internal practices, procedures and systems that ensure compliance with the Australian Privacy Principles.  They should be able to demonstrate appropriate accountabilities, governance and resourcing.

But compliance alone won’t build trust.

For one, the majority of Australian businesses are not bound by the Privacy Act because they fall under its $3m threshold. This is one of several reasons why Australian regulation is considered inadequate by EU data protection standards.  

Secondly, there is variability in the ways that entities operationalise privacy. The regulator has published guidance and tooling for the public sector to help create some common benchmarks and uplift maturity. No such guidance exists for the private sector – yet.

Consumer expectations are also higher than the law. It may once have been acceptable for businesses to use and share data to suit their own purposes whilst burying their notices in screeds of legalise. However, the furore over Facebook Cambridge / Analytica shows that sentiment has changed (and also raises a whole bucket of governance issues).  Similarly, increasingly global consumers expect to be protected by the high standards set by the GDPR and other stringent frameworks wherever they are, which include rights such as the right to be forgotten and the right to data portability.

Lastly, current compliance frameworks do not help organisations to determine what is ethical when it comes to using and repurposing personal information. In short, an organisation can comply with the Privacy Act and still fall into an ethical hole with its data uses.

Your organisation should be thinking about its approach to building and protecting trust through privacy frameworks.  Start with compliance, then seek to bolster weak spots with an ethical framework; a statement of boundaries to which your organisation should adhere.

Reputation management

The way an organisation manages its reputation is unsurprisingly tightly bound up with trust.

While there are many aspects to reputation management, an effective public response is one of, if not the most, critical requirements.

In the era of fast-paced digital media, and with a vocal community of security and privacy experts on social media, a poorly managed communications response to a cyber or privacy incident can rapidly damage trust. A poor response has been seen to result – at least in the short term – in financial impacts, executive scalps, and broader government and legal repercussions like inquiries and class actions.

A google search will quickly uncover examples of organisations that mishandled their public response. These examples will often have one or many of the following features:

-          The organisation was slow to reveal the incident to customers (ie. not prioritising truth, safety and reliability)

-          The organisation was legalistic or defensive (ie. not prioritising the protection of customers)

-          The organisation pointed the finger at others (ie. not prioritising reliability or accountability)

-          The organisation provided incorrect or inadequate technical details (ie. not prioritising a show of competence)

Achieving a high-quality, trust-building response that reflects the earlier discussed principles of trust is not easy in the intensity of managing an incident.

An organisation’s best chance of getting things right is to build communications plans in advance that embed the right messages and behaviours. Plans and messages always need to be adapted to suit specific incidents, but this proactive approach allows organisation to develop trust-building messages in a calmer context. It’s equally critical to run exercises and simulations around these plans, to ensure the key staff are aware of their roles and are aligned to the objectives of a good public crisis response and that hiccups are addressed before a real crisis occurs.


Arjun Ramachandran, Principal, elevenM and Melanie Marks, Principal elevenM and InfoGovANZ Advisory Board Member