It’s easy to see the EU’s new data protection rules as a box-ticking exercise. Yet going a step further and explaining how personal data is used and the benefits to data subjects can reward companies with stronger customer relationships, says Consentric’s Simon Crossley
Many companies believe they are now well on their way to compliance with the new European data protection regulation, according to recent GDPR market research. But the GDPR survey also suggests a mismatch between those companies’ perceptions of their progress and their understanding of what’s actually required of them. Which means they could be missing out on important opportunities to reinvigorate customer relationships.
GDPR, enforceable in the UK under the new Data Protection Act 2018, significantly bolsters people’s rights over their personal data and what companies do with it. At its introduction in May, more than a quarter of organisations claimed to be ‘very well prepared’ for the EU General Data Protection Regulation and 61 per cent ‘somewhat’ prepared. Yet it’s hard to imagine that these businesses have transformed their approach to customer data as part of those preparations.
In many cases, companies will have approached the new rules as a compliance exercise – not a broader review of how the controls could work best for the business and its clients. Yet with GDPR, companies have a unique chance to develop a more sustainable plan around customer data that will contribute positively to their brand and business development.
Poor vs best practice
It’s easy to spot the companies that see GDPR compliance as a box-ticking exercise. The first sign is a lack of clarity in their customer communications: a big green button on their website, accompanied by generic policy wording pasted from a template. The main aim here is to secure quick confirmation of people’s data permissions, so they can get on and buy something. Anyone clicking through for more detail will be faced with pages of small-print.
This is at odds with the spirit of GDPR, which is about empowering customers (‘data subjects’) to make more informed decisions. The key to this is transparency and full disclosure. The Information Commissioner’s Office (ICO) recommends using plain language and information layering. This puts the individual more in control, enabling them to drill down quickly to specific areas they want to clarify.
Sainsbury’s has clearly thought this through for shoppers registering for Nectar, its partner-based loyalty scheme. The online registration page explains exactly what each party wants to do with subscribers’ data and what customers can expect in return – relevant and personalised offers, for example. By explaining everything clearly and setting out the value for the data subject, Sainsbury’s is demonstrating fairness and integrity, in line with GDPR’s core principles.
Juro, a London startup which automates the creation and management of companies’ sales contracts using AI, has taken a similar approach. Click through to find out more about its cookies and there is a full breakdown of what Juro and its partners would like to do with personal data, and why, with their permission. Click through to its full privacy notice and you’ll be rewarded with a step-by-step walk-through of what will happen at every point along the customer journey – the information you will be asked to give and what you will get in return. Juro also spells out customers’ data rights and how to exercise them. It’s a great example of an experience that has clearly been designed – by default – from the client’s perspective.
Embracing the spirit as well as the rules of data protection
Being seen to embrace the ‘spirit’ of GDPR is at least as important as following the rules. So it’s here where organisations need to pay special attention if they want to convince people that they have their best interests at heart and will treat their data with respect.
One way companies can engender trust is by managing customers’ data permissions using a dedicated central platform specifically designed to address the more intricate detail of GDPR. If every aspect of consent is managed and tracked in a single place over time – a resource that can be quickly consulted and linked to a range of business systems (such as customer-relationship-management systems) – organisations can show that they are embracing data protection by design and default.
Taking this a step further, companies could open up such a central permissions hub for self-service access by customers – allowing them to securely access, review and edit their own permissions at any time. A recent GDPR customer survey by Consentric found that two-thirds of consumers would welcome the chance to be able to view all of the data a company holds on them in one place.
Significantly, the same survey also confirmed that, far from wanting to withhold their data, people are largely happy to give it – as long as there is a clear benefit to them in doing so. When asked “Would you like to make money (or get other benefits) from your data?”, 64 per cent of UK respondents and 77 per cent of US consumers said yes.
Ultimately, true GDPR compliance is a mindset, and a way of doing business that offers lasting rewards. Operationalising GDPR using purpose-built compliance software isn’t hard to do, and offers a chance to increase engagement with customers – driving loyalty and ultimately revenue.
 GDPR Impact Series Research 2018, DataIQ in association with Experian: https://www.edq.com/uk/resources/papers/gdpr-impact-research-2018/