If the General Data Protection Regulation achieves one thing above all others, then changing the balance of favour between individual data subjects and the data controllers asking for their personal information will be it. Certainly, that is what the European Commissioners who drafted GDPR had in mind.
For some organisations, this concept has come as something of a shock. Despite the existing principles of the Data Protection Act, which already mandated transparency and limitation of purpose, a relatively freewheeling culture had arisen which assumed the ready availability of data and the concupiscence of consumers in providing it. Just look at the streams of tech start-ups which have this view at their heart. GDPR could fundamentally challenge that business model, if enforced rigorously and embraced actively by individuals.
Twice as many consumers will provide data to brands they trust than two years ago.
But that is only the case if you take a defensive view in which there is a power struggle between the legitimate interests of business and the human rights of consumers. Many organisations are adopting a more positive view, positioning themselves as active enablers of their customers’ enhanced GDPR rights and expanding their brand promise accordingly. These forward-looking firms know that, when a law defines what you can say or do, demonstrating your active respect and endorsement of its principles is a better optic than trying to finesse the details.
In this respect, consumers are ahead of the curve. The latest GDPR Impact research commissioned by DataIQ clearly reveals a positive mindset towards data sharing, providing the conditions are right. Twice as many consumers (30 per cent) say they will provide their data to brands they trust than said this two years ago (16 per cent). That is a significant boost in the numbers of the trusting which, it can only be hoped, gets met by a similar rise in the numbers of brands who are trustworthy.
Perhaps even more significant is another big shift in attitude. Back in 2016, half of all consumers (49 per cent) said they would prefer not to share their data if they could avoid it. Whether such avoidance is really possible in the digital economy is a moot point, but this cautious frame of mind represented a significant blocker to any adoption of consent-based data processing under GDPR. Yet, this year, the number in this group had fallen to 32 per cent.
That leaves the rational - people who will share their data if they are given a good reason to do so - as the biggest group at 38 per cent. Since this is exactly what GDPR asks data controllers to do, organisations should take this as a firm basis for the new data-value exchange, especially when combined with those in the trusting group to take the total consumers who are positively disposed up to 68 per cent.
“Being transparent within the organisation is just as important as without.”
So what does this mean in practice and how do data collection processes need to be adapted to suit. Peter Galdies, technical director at DQM GRC, says: “Really consider and document how you are planning to use the data (being transparent within the organisation is just as important as without). Then balance that with the data subjects' expectations. Does this work? If so, then win the day by clearly and briefly explaining why it’s good for them to share their data.”
Of course, in some cases that balance will not be in the consumers’ favour and they may choose to withhold their consent to data processing (or go elsewhere for the product or service). If sufficient in number, this would force a root-and-branch rethink of that process and potentially of the business model it is meant to support.
Galdies recommends testing compliant alternatives, using consent management technology to track variants and create an audit trail. This is no different from the way creative propositions and offers are tested by marketers, but could pay big dividends for consent.
“Spend time considering the data-value exchange dialogue – it will be worth it. When putting together your fair processing and privacy notices, don’t just ask someone to opt-in or consent, instead request in as plain, honest and conversational a way as possible,” he recommends.
This may require some process re-engineering and investment in new technology. GDPR does not mandate either, but it is likely to lead any company wanting to be compliant towards both. But if it makes the difference between getting on-side with the sharing-positive consumer and sustaining your business model or not, it will be worth it.
This article is the first in a ten-week series by DataIQ in association with our GDPR partner, DQM GRC. For more information on the solutions it offers, visit dqmgrc.com.