Some organisations and companies are “hiding behind” their data protection and privacy obligations, and it’s leading to poor customer service. In doing so, they’re missing an opportunity to build trust and deliver a better customer experience. That’s the view of Valerie Lyons, BH Consulting’s COO and senior consultant, in a recent interview with the Irish Independent.

The General Data Protection Regulation has been in force since May 2018, but it seems some organisations are not applying it correctly. “What’s really irritating is that some businesses that don’t understand what the GDPR is have people on the front desks saying: ‘I can’t help you with that because of GDPR’,” Valerie told the Independent. “They are missing out on opportunities where they could be helping their customers because it’s easier to say no. I usually find that if a company has bad customer service, their data protection service is bad too,” she told the paper.

A common-sense approach to data privacy

She urged companies and organisations to use “common sense”. They should follow the spirit of the GDPR rather than a literal, narrow interpretation.

Valerie will be speaking about this subject at the Secure Computing Forum in the RDS in September. The event has become a fixture on the Irish security conference circuit in recent years. This year’s edition features many high-profile domestic and international experts on security, privacy and data protection. The event takes place on Thursday 12 September. More details are available at the  official website, and the link to book tickets is here. Valerie and other members of the BH Consulting team regularly present at conferences and events. You can find details of all upcoming events on our listing page.

Beyond mere compliance

Valerie has closely looked at the issue of data protection as part of her PhD research at DCU Business School. She has previously argued that it’s time to look beyond just following the rules towards improving consumer trust. In a blog from November last year, she framed trust not as a matter of compliance but an ethical issue.

She cited research by Columbia Business School which found that three quarters of consumers are willing to share their data if they trust the brand and are more willing to do so in exchange for benefits, such as reward points and personalisation – but only if it’s on ethical, fair and transparent terms [our emphasis].

Doing privacy rights vs doing privacy right

“Shifting from privacy to ethics moves the conversation beyond ‘doing rights’ toward ‘doing right’,” Valerie wrote. “This ethical approach to data privacy recognises that feasible, useful or profitable does not equal sustainable, and emphasises accountability over compliance with the letter-of-the-law.”

She said communicating a trust-based message was essential if brands are to persuade people of their good intentions. In the process, they stand a better chance of turning them into loyal customers. “Organisations that ethically manage data and solve the consumer-privacy-trust equation are more likely to win loyal consumers who pay a premium for their products and services,” she wrote.

Seven steps towards trust

Back in July 2017, Valerie outlined how organisations could implement privacy protection initiatives that enhance trust using these seven principles:

  • Implementing a more ‘justice’-based set of non-binding rules (e.g. OECD Fair Information Practices Principles)
  • Incorporating Privacy-By-Design principles into new product developments and processes
  • Accreditation to Trust Seals
  • Providing visible data protection and privacy awareness training to both internal and external customers such as consumers, employees and suppliers as they build trust
  • Publishing privacy initiatives in CSR and sustainability reports
  • Putting consumer trust at the heart of every strategic information management decision
  • Communicating policies and terms and conditions not as legal documents that they’re required to publish, but as documents that establish and enhance a trust-based relationship with the consumer.

Valerie noted that the GDPR is loosely based on these principles, even though they existed long before the regulation did. “There is a strong case for organisations to implement these principles because it is ‘the right thing to do’; not just because the regulation tells them they should,” she wrote.

“Organisations need to remind themselves that the personal data they hold does not belong to them but rather to the people who entrusted their personal data to that organisation. Trust is the foundation in any relationship. By demonstrating it takes the responsibility of protecting the data entrusted to it, an organisation can build lasting relationships with its customers.”