“Data Protection legislation is a pain we can do without. It adds to the cost and complexity of our administration and hampers our ability to carry out marketing in a competitive way.” This is a view we have occasionally heard expressed along the corridors of organisations, often somewhere near the marketing department….
But is that view true? Is there really no value added through data protection compliance?
Working with a range of clients from different sectors over recent years, we have seen a variety of attitudes to data protection legislation. Most of our customers see the GDPR as an opportunity to gain customer trust. Keeping up with legislative changes and making adjustments to websites, promotional material and the way they respond to ITTs gives our clients another way to differentiate their business and services from those of their competitors.
A responsible, caring data protection culture becomes an asset resulting in an increase in customer trust and loyalty. As consumers become more aware of the dangers and consequences of reckless handling of their personal data, they are starting to value those secure practices in data protection over lower prices.
Gaining customer trust
The Information Commissioner’s Office undertakes regular surveys into consumer trust and confidence in how organisations handle personal data. This year’s study took place during the COVID-19 pandemic lockdown. The results, published in July, showed that there has been a move to the middle ground in the levels of trust and confidence over the past year, with decreases in both high and low trust and confidence.. The proportion of respondents who have no confidence at all remains 10% as in 2019. Once again the ICO reports that, by sector, the least trusted are still social media companies by a large margin.
There have been slight increases in the proportion stating that the reason for their high level of trust and confidence is due to legislation (15% from 13% in 2019) and because more companies protect their customers’ data and do not sell or share it without gaining the appropriate consent first (7% from 5% in 2019).
The data protection concerns of most importance to the public and which would be most likely to stop them using an organisation are having their personal information stolen, shared, or sold to third parties and being a victim of fraud/scams. Interesting that data selling and sharing without explicit permission is viewed in the same light as the activities of hackers and scammers. And while the public are often willing to trade some personal data in exchange for goods or services, they are unimpressed by companies sharing their data with third parties.
Many clients approach us for data protection consulting regarding template policy wording to include in tender responses to questions about data protection compliance. These statements must reflect what actually happens at the client, how they manage data protection. It is always sad to see square brackets containing tailoring instructions left in such documents, such as [Insert company name here]. This is just demonstrating a lack of understanding not only of the document itself, but of its importance and relevance. Some companies make similar mistakes on their website privacy notices and here it becomes an advertisement to the world that they have not even read their own privacy notice, let alone written it.
The freight ferry company, Seaborne, who were chosen by the government to operate extra ferries for Brexit, demonstrated this in a spectacular fashion in January 2019. Their website terms and conditions were found to contain terms relating to pizza delivery.
Ridicule was also heaped on Seaborne’s “privacy terms”, which stated: “Members hold freedom to express themselves in their feedback. Although your intellectual freedom is respected, [Business name] reserves the right to remove from our website any material deemed threatening, immoral, racist, inaccurate, malicious, defamatory, in bad taste or illegal.”
This also shows how important it is to select your business partners carefully. Their shortcomings could also damage your business reputation.
When responding to ITTs, or other due diligence checks into your data protection compliance, there are some key comfort messages that can be highlighted. Due diligence provides an opportunity to demonstrate knowledge of data protection and how it impacts on business activities. Organisations can use it as an opportunity to describe the data protection control framework employed to manage compliance: roles and responsibilities; GDPR policies and procedures; training; review; and improvement.
This makes key data protection messages much more likely to resonate with your customers and help to differentiate your business from your competitors.ey data protection messages much more likely to resonate with your customers and help to differentiate your business from your competitors.