Prioritize Data Subject Rights To Earn Customer Trust

Research from 2019 provides worrying insights about consumers’ control over personal data. 81% do not feel they have control over the collection and use of their data.

Jan 5, 2021

You can exert control over an object only if you are capable of modifying, influencing, and destroying it. While this logic can sound obvious when applied to tangible items such as a car, a carpet, or any physical item you possess, it applies equally to digital assets such as personal data, even though they are intangible, can be copied infinitely to multiple places, and processed in opaque ways.

Individuals can be assumed to hold control over their personal data only if they:

  • are fully informed about what personal data is collected and how it is used;
  • can exert control over the collection, use, sharing, and erasure of personal data.

PWC research from 2019 provides worrying insights about consumers’ degree of control over personal data. 81% of consumers do not feel they have control over the collection and use of their data. Furthermore, 55% of survey participants favored better consumer tools while 45% of consumers demanded more government regulations to gain more control.

Acknowledging consumer demand for stronger control over data, regulations such as GDPR and CPRA enable individual control by introducing new data subject rights, such as the rights to access, rectification, and deletion of data.

Alongside being a legal obligation under the privacy laws, data subject rights can also be an effective tool for building trust between you and your customers.

If people do not know what personal data has been collected about them or to whom it’s been transferred, they cannot exercise their data subject rights. Equally, the proper exercise of the right to correct or request deletion of personal data are also prerequisites of individual control.

According to a recent PWC survey, 87% of consumers want the ability to remove any data from search engines if they think that data damages their reputation. While the right to request deletion is not an absolute right under GDPR and CPRA, this statistic is a testament to how much consumers value the right to erase personal data.

As businesses’ exploitation of personal data on a mass scale comes under public scrutiny, the growing mistrust of individuals toward businesses is no surprise.

According to a KPMG study, more than half of respondents mistrust both the collection and use of their personal information--53% and 54% respectively.

In the same study, 56% of consumers state that businesses should prioritize giving consumers more control over their personal data.

Consumers’ craving for similar data subject rights as provided under the CPRA is evidence to the need for businesses to prioritize control: 91% of participants agree that all citizens should enjoy right to erasure of data while 90% of participant state that all citizens should have the option to opt-out of having their data used.

Considering consumers’ growing mistrust and their demands to exert more control over their data, data transparency can be a great way to increase individuals’ control over their data and earn their trust.

Different data privacy laws provide differing degrees of control to individuals over their data because obligations on businesses and the extent of data subject rights vary.

While compliance with data subject rights requirements in laws such as GDPR and CPRA is important, businesses should make establishing individual trust a priority and do more to enable the exercise of personal data.

Here are some best practices in earning your customers’ trust vis-a-vis data transparency:

Keep Them Informed

Access to information about data processing is a prerequisite to deciding and then implementing that decision over personal data such as asking for deletion or editing.

However, the collection of data from multiple and sometimes unexpected sources and transfer to third parties makes it harder to visualize what data is collected and by whom.

This is also reflected in a recent survey: 48% of consumers demanded that companies give them more visibility about why and how their data is collected and used.

Implement Technology to Make the Whole Process Consumer-Friendly and Simple

The longer and more cumbersome the journey of fulfillment of data subject requests are, the harder it is for individuals to complete the process smoothly and exert control.

If you require consumers to fill out complicated forms, provide excessive information for identity verification, this is likely to drive them away and lead to the erosion of control over their data.

Consumers’ desire for simplicity and frictionless experience is also evidenced by the Corporate Executive Board’s survey. It found that “decision simplicity,” the ease with which consumers gather information about a product, was the main driver for consumers to repurchase from the same company.

Fulfillment of a data subject request such as an erasure request consists of multiple steps: identity verification, retrieval of relevant data, assessment, and then the execution of consumers’ will.

Considering the difficulty of mining all structured and unstructured personal data from your systems, verifying identity without error, and the execution of requests across all devices and systems, you may consider a data privacy management software solution that provides you with the following benefits and streamlines the process:

  • Data discovery and mapping software to mine structured and unstructured personal data, like those often hidden within emails, spreadsheets, and power-points.
  • An identity verification feature that can enable biometric identification. Compared to knowledge-based methods, biometric methods are more reliable and more consumer-friendly.
  • Provide individuals with a consumer-facing portal or an interface where they can directly observe what data is collected and how it is used. If data subjects can make their requests via such a portal and their requests are implemented end-to-end, this will eliminate the human error element and provide the individual control needed.

Exceed Legal Requirements if Need be

Each data privacy law is different. For example, while GDPR’s right to deletion covers data on archive systems, CPRA excludes them.

Even if your business is not subject to privacy law as strict as GDPR or CPRA, providing consumers the rights they demand can earn their trust because it would demonstrate that privacy is more than just a compliance issue for your business: It is an essential element in the trust-based relationship you want to build.