Data, and the use thereof, is growing exponentially as the sheer amount of data available increases. It has become even more valuable a commodity to businesses and their marketeers forging better relationships, based on trust, in this new data-driven economy; building more detailed customer profiling, and setting highly targeted and relevant campaigns. However, consumers are becoming wise to this and are increasingly mistrustful and suspicious of how their personal data is used, shared and profiled. Not only can organisations gain information on a person’s demographics, but with technology it is possible to map their shopping preferences, where they check-in and who they are connected with on Facebook.
Over recent years, and with an increasing number of high profile data security breaches, trust is gradually being eroded and we’re now at a tipping point, where skepticism rules.
In many cases you can understand why. You only have to look back at the overwhelmingly negative reaction to Facebook’s acquisition of WhatsApp and the covert changing of permissions from ‘We’ll never advertise’, to ‘Unless you explicitly tell us you don’t want advertising, you’re going to get it’. 
It’s been reported that the TalkTalk customers who experienced a breach of personal data security have since received daily streams of scam phone calls that are a constant reminder of how vulnerable their data can be.
Even the organisations we view as warm and cuddly have had their fair share of negative data protection publicity, with some well-known charities being fined by the Information Commissioner’s Office for poor data protection practices.
The response to consumer concern and the general data explosion is more stringent regulation. From May 2018, the EU General Data Protection Regulation (GDPR) supercedes the existing directive created in 1995, which in the UK became the Data Protection Act 1998. This will bring data protection into the digital age, forcing organisations to be more open and transparent about the data that they collect, collate and share about individuals. At its core are three principles to help protect consumers and their data:
With GDPR, companies will need unambiguous or explicit consent to use an individual’s data. Individuals have the right to know what information is held about them, who it is shared with and the purpose it’s been used for. Most organisations simply don’t have the systems in place to deal with this, but they will need to be ready, if the ICO comes knocking on the door.
The right to be forgotten
This is one of the fundamental parts of GDPR. Every individual has what is called the ‘right to erasure’. If requested, a business will need to remove all data held on that specific individual, across the entire organisation, and inform any third party sharing companies to do likewise.
If data is kept in different places, for different purposes, this can also cause issues. Research from Symantec shows that 90% of businesses believe it is too hard to delete customer data and only 40% have systems in place that would allow them to do so.
Greater transparency is crucial. Organisations need to evidence that the data being held is with consent and that systems are in place to protect data and data sharing.
Research by Data IQ in 2016 stated that 21% of consumers believe consent is valid for six months, when the reality is that it is often kept for much longer and many organisations keep no record of how and when data was obtained. Organisations will need to be clearer about how long ‘a reasonable length of time’ should be.
To be transparent organisations need a centralised secure system to manage individuals’ permissions. This includes adding, editing and deleting on request. An even better solution would be a portal where individuals can control their permissions themselves; a single source of truth.
This will ultimately build greater trust and strengthen engagement between organisations and their consumers.
Procrastination is not an option for GDPR. On 17th January 2017, British Prime Minister Theresa May stated in her Brexit Plan, A Global Britain, that as part of this process, existing EU laws in force in the UK would be converted into full UK laws. That, effectively, means that the EU’s General Data Protection Regulation will be law in the UK, too.
Implementing the right systems to comply with GDPR may bring with it headaches in terms of administration and compliance, but it also presents a unique opportunity. Placing individuals in control of their own data is the start of the trust relationship. Leading to greater engagement between organisations and their customers. Resulting in increased loyalty and retention for the business over the long-term.