How to Build Customer Trust and Loyalty Through Data Protection Best Practice

With the exponential advances in digital technologies, organisations now have the means to store and process vast quantities of data about customers and their behaviour.  This trend is exacerbated by technology, which can monitor and learn about individuals in a range of ways, from identifying an individual’s location, their habits at home through smart devices to tracking their fitness.  There are some companies that prefer to give customers limited or vague information, preferring corporate control to transparency.  But even those organisations that want to do the right thing could do more to build trust with their customers.  

People are now more aware of the data privacy landscape and their rights.  Across all sectors, companies are seeing a rise in personal data rights requests, such as data subject access requests (DSARs) and requests for erasure.

Breaches of personal data are well-publicised, such as the 2021 Facebook breach of over 533 million users across 106 countries, a loss of data related to over 560 million customers by Ticketmaster in 2024, or over 5 million users affected by a breach at X (Formerly Twitter) in 2020.  These make customers nervous, especially when they happen to large companies with the resources to protect data properly.  Issues of online fraud and identity theft are constantly in the news and on television screens, and breaches can reveal covert activities which cause customers concern.

Most people now have security or anti-virus software on their computers, and some scan the dark web for the personal data of their customers and alert them when their data is compromised.

All of this means that customers are increasingly aware, and are becoming less tolerant of organisations that don’t take care of personal data or which process data in an opaque way.  Companies that are transparent about what they do with customer data and offer fair value in return for that data will be trusted, and those that conceal their activities risk losing customer goodwill.

There is a requirement under the first DP principle for personal data processing to be transparent.  Furthermore, the legislation provides data subjects with a right to be informed about what is happening with personal data.

It is important for data protection compliance reasons that data controllers tell people what they are going to be doing with personal data.  By being open and honest with people, you immediately start to build trust right at the beginning of a client relationship.  When customers believe they can rely on a business to look after their data and their privacy, they are more likely to engage and remain in a long-term relationship with that organisation.  So, what are the ways you can inform customers about DP such that it establishes and builds trust?

Keep information simple and in plain language, avoiding jargon and legal terms.

Organise information in a clear and logical way, which helps people understand what data is being processed and why.

Use visual aids to get the message across.  Diagrams and infographics can be helpful, and a simple 1-minute video or presentation can be useful to introduce the main points.

Think about using tiered information.  For example, have a very short one-page document with the main points and DP pledges, with links to the complete information should the customer wish to dig a little deeper.  Splitting the privacy notice according to the audience will also help ensure that customers only see what is relevant to them.  For example, a property company might have different privacy information targeted at residential tenants, commercial tenants, visitors to retail venues, stakeholders and people applying for jobs.

Avoid embedding transparency information within terms and conditions.  It is clear that not everyone will read terms and conditions, if faced with a long and difficult-to-read document.  There is a series of videos on YouTube of someone reading the terms and conditions for Amazon Kindle – a series which runs to nine hours.  

Make sure that privacy information is easy to find and wherever possible, point your customers to it during the sign-up or purchase process.

‍

The concept of privacy by design and default is inherent in the EU and UK GDPR and requires data controllers to put in place appropriate technical and organisational measures (TOMs) to implement the DP principles effectively and safeguard individual rights, such that the default position ensures privacy and again builds customer confidence.  This is ‘data protection by design and by default’ and is a concept that isn’t new in the GDPR but has been present in DP legislation for a while.  The only key change in the GDPR is that it is now a legal requirement.

This requires you to integrate DP into processing activities and business practices, from the design stage right through the lifecycle.  It isn’t enough to ‘retrofit’ DP into systems and processes after they have been implemented, it must be considered at the start.

Some of the key tips to achieving privacy by design and default include:

Embed the requirement to consider DP into procurement processes.  This will ensure that your organisation doesn’t purchase software or services that could compromise GDPR compliance or privacy, and ensures that DP is considered as early as possible.

Ensure that you complete data protection impact assessments (DPIAs).  Whilst DPIAs are only mandated for high-risk processing, such assessments are useful when considering all proposals involving personal data. They are quick to complete, can help prevent important risks from slipping through the net and form an important record of the thought and decision process and the controls required to protect personal data, helping to meet the accountability principle.  Don’t forget, if you have a reportable breach, one of the first questions a regulator will ask is ‘can I see your DPIA’.

Develop a corporate culture which encourages the minimum amount of data to be processed and to prevent data being collected ‘just in case’, thereby complying with the data minimisation principle.

Ensure the corporate culture prevents personal data from being re-used for incompatible purposes, thereby complying with the purpose limitation principle.

Implement automated data deletion to comply with the storage limitation principle.  Relying on humans to remember to delete data can be risky.

Consider data anonymisation or pseudonymisation techniques to reduce the risk to personal data.

Overall, the key message is to ensure any DP measures are set to provide the most privacy as the default.

‍

Building trust can be enhanced by allowing customers access to their data and giving them choice over the data they provide and what happens to it.  Providing simple options for opting in or out of certain processing empowers consumers with a sense of control.

Surveys have shown that the value data subjects place on their data varies, and with it the concern over mismanagement escalates.  In a report published in the Harvard Business Review, (HBR), analysis looked at three categories of data:

• Self-reported data – information provided by the data subject
• Digital exhaust – including data created when using digital devices, such as location data and browsing history
• Profiling data – personal profiles used to make predictions about individuals’ interests and behaviours.

The analysis showed that people value self-reported data the least, they value digital exhaust more and value profiling data the most.  Certainly, what is considered acceptable will differ among customers, so offering them a choice over their data usage allows them to determine the point at which they feel comfortable.

Interestingly, a report in 2023 by the IAPP showed that increasing computer automation without human oversight is perceived by most consumers as a high privacy risk.

‍

This doesn't imply that users should be paid for their data.  In fact, the HBR study reveals that paying users can decrease trust, possibly because they feel that receiving payment results in a loss of control over their data.

The HBR study started to examine how much different types of data are worth to customers, so businesses could consider offering value in return and making that exchange explicit and transparent.  The HBR study examined three categories of data use:

• Making a product or service better, such as a map application using a device’s location to suggest travel routes
• Facilitating targeted marketing, such as advertising based on a user’s browsing history and
• Generating revenues through data resale, such as selling credit card purchase data to third parties.

It was found that when data is used to improve services, customers generally feel the enhancement is a fair trade for their data, particularly if they have control over whether that exchange takes place.  However, they expect greater value for data used in targeted marketing and even more for data sold to third parties.  This suggests that the value customers place on their data increases with its sensitivity.

With growing customer awareness of their rights and the rise in data processing, often without human intervention, it seems that the time has come for organisations to look beyond basic compliance.  While doing the bare minimum may reduce costs and satisfy regulators, adopting a more thoughtful approach to DP can boost customer engagement, build trust, and foster greater long-term loyalty.

The tactics to achieve that are simple.  Be open and transparent about what you do with customer and employee data.  If possible, make simple pledges about what you will and won’t do with their data – for example, that you’ll never sell or share it, and that you’ll delete it when you no longer need it.  Put the customer in control and give them choices about the data they give you and what you will do with it.  Combine that control with a value proposition, which provides them with a better product or service in return for increased trust.

Finally, build privacy into your core products, services, processes and systems, and build a corporate culture which places a high value on customer data – after all, without it you may not have a business at all.