By Lewis Barr | Posted on May 25, 2017
With the effective date of the European Union (EU) General Data Protection Regulation 12 months away, many companies selling into the European market are conferring with their data processors about how they will satisfy customer requests exerted under their GDPR rights, including the rights to access their personal data, have it transferred, and have it deleted, among others.
I recently sat down with the CISO of a company with several well-known retail brands to discuss the service functionality his company sought in order to enable compliance with customer requests made under the GDPR. During the course of our discussion, the CISO recognized the benefit that a unified customer record would provide in meeting data subject requests for access, portability, and deletion while indicating there was some squabbling among his company’s brand managers over ownership of the customer data. After further discussion, he recognized what his brand managers did not—that none of them owned customer personal data, the customer did, and that enforcement of the GDPR would reinforce customer ownership.
A GDPR satori for the CISO? Maybe. But after that meeting, I had a little satori of my own: for a business focused on customer success, when it comes to customer privacy, there should be no distinction between the interests of the business and the interests of the customer. You might call it the nonduality privacy principle.
A customer reasonably wants his or her privacy respected and to provide only the information necessary to accomplish a clearly understood purpose, whether it is to participate in a loyalty program, be informed about personalized services, or contribute to a non-profit’s campaign. Indeed, a late 2015 Forrester report found that one third of consumers have canceled transactions due to privacy concerns. As the awareness of GDPR privacy rights will grow, we can expect this linkage to increase. For its part, the business seeking to use the customer’s personal data recognizes that respecting the customer’s privacy is a reflection of respect for the customer and will help establish or grow the customer-business relationship and trust in the brand. The enlightened business understands that good customer service includes informing the customer about why the business is requesting the customer’s personal data and how the business will treat the data, and then treating the data accordingly.
Both the well-informed customer and the enlightened business recognize that when done right, the processing of personal data is part of a mutually satisfying business transaction. The same can be said of honoring data subject rights under the GDPR.
That many businesses are slowly awakening to the recognition that honoring customer privacy is a key component of good customer service brings to mind the slow development of customer-friendly return policies. But businesses with well-deserved brand loyalty, such as Patagonia and Amazon, figured out a long time ago that a favorable return policy is an important factor in the customer’s purchase decision. Now, the business that respects a customer’s privacy, like Channel 4 in the UK, makes it easy for the customer to assert his or her data rights, and honoring them will not only help enhance its brand by doing so but be that much closer to GDPR compliance.
Click here to learn more about how Janrain can help your business get ready for GDPR through our new Primer and Readiness Assessment.
How to tell if your identity management is ready for the new data protection regulations…
We just released the latest member of the Janrain product family: Janrain Advanced Policy Manager…
Janrain Information Security Manager, Lisa Nicholson, shares her thoughts on why CSA Level 2 and…