GDPR and Privacy: How to Earn the Trust of Your Customers and Keep Regulators Happy

Customer data is the lifeblood of any organisation and the key to unlocking sales and growth. But the data you hold and how you use it is about to come under intense scrutiny, thanks to new European privacy rules.

The EU General Data Protection Regulation (GDPR) is the biggest shake-up to the region’s laws in this area in almost a generation, introducing sweeping new rights for consumers and potentially onerous obligations for organisations. To avoid hefty fines, whilst retaining the trust of your customers and prospects, you’ll need to pay special attention to the new rules and make lasting changes that go well beyond the box-ticking compliance efforts of old.

Consumer trust

New research from the DMA and Acxiom actually suggests that most consumers (61%) are already pretty happy about the amount of information they share. Over half (51%) acknowledged that data is essential to the smooth running of the modern economy and a quarter (25%) classed themselves as “unconcerned” about matters of data privacy.

However, this is just one report. Separate research from the ICO last November revealed that only one fifth of the UK public have trust and confidence in organisations storing their personal information.

Whatever really is going on inside the minds of consumers, the reality is that the GDPR will place rigorous new rules on how you collect, manage and use their personal data (PII). With the government claiming in January that just 38% of UK businesses have even heard of the new law, it’s time to act before the 25 May deadline.

Transparency and accountability

Transparency should be your watchword, with 88% of consumers citing it as the key to increasing trust around how their data is collected and used. The GDPR requires organisations to obtain explicit consent from individual “data subjects.”

You need to be clear and concise with your consent statement, keeping it separate from other T&Cs, and make it easy for customers to withdraw that consent in the future if they wish. You’ll also need to keep a record of consent: who, when, how, and what you told people.

On a similar theme, the GDPR will require you to provide more information than ever before on how you use the data you collect on individuals. It needs to be both detailed and easy-to-understand, which can be a tough balancing act. Don’t forget also to include details of any data sharing with third party partners or processors.

Aside from consent, another way to legally process data is if you can prove “legitimate interest.” If you’re a larger organisation, your Data Protection Officer (DPO) — another requirement of the GDPR — may need to first conduct a Legitimate Interests Assessment (LIA).

Minimisation and relevance

So what counts as “personal data?”

The bad news is that the GDPR has significantly broadened the scope of PII. According to the ICO, it now covers “any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.”

In practice, this means names, dates of birth, email and home addresses, telephone numbers, online identifiers, genetic and biometric data, mobile device IDs, IP addresses and much, much more. It also applies not just to customers and prospects but also your employees and individuals in other businesses you might be interacting with or selling to.

All of this makes data minimisation an essential practice to reduce your compliance burden and exposure to data breach-related risk. Carry out a data audit and think carefully about what you’re storing and how it’s used. Encryption and pseudonymisation are recommended for the most sensitive data you’re handling, and delete anything, which is non-essential or out-of-date.

Make sure you have best practice security measures in place to protect that data from hackers. This should include identity and access management (IAM) controls featuring multi-factor authentication and a “least privilege” policy.

Ultimately, the organisations that succeed going forward will be the ones that see the GDPR as an opportunity to differentiate and grow, by not only complying but gaining the trust of their customers in doing so. If you’ve historically relied on buying-in prospect data from third parties, for example, you’ll need to become more self-sufficient in developing and maintaining an up-to-date database of leads. But this in itself offers a great chance to get closer to your customers and improve the relevance of your sales and marketing efforts.