The General Data Protection Regulation (or GDPR) celebrated its first anniversary on May 25, 2019. It was developed to grant European Union (EU) citizens and residents–individuals within the EU and the European Economic Area–complete control over their personal data.

Despite a two-year preparation period, not all were ready for the start of enforcement. Some chose to stop serving EU customers; one of the more notable cases was that of Instapaper, which opted to temporarily cease operations until they could sort out their compliance issues. Others were more than prepared: both Apple and Microsoft were among companies choosing to extend some or all GDPR rights even to non-EU customers.

The caution by companies fearful of meeting GDPR compliance was well founded. With two tiers of administrative fines that can be levied as penalties for GDPR non-compliance depending on the infraction, it has some teeth:

• Up to €10 million or 2% annual global turnover, whichever is higher or
• Up to €20 million or 4% annual global turnover, whichever is higher

While reports of fines have not been made public, evidence suggests at least one hundred companies have been penalized for some type of infraction. Meanwhile, other countries around the world including the United States mull adopting a subset or all of the sweeping privacy legislation.

From data breaches to misused social media information, concern over privacy has continued to be a hot topic. While GDPR sets a level of protection in the EU, customers around the world remain cautious about sharing information. And whether mandated by GDPR or not, companies have a duty to their customers to maintain trust and loyalty.

Transparency

The first thing a company must do is offer greater visibility into its privacy-related practices. What data is being collected and stored? What additional information might be collected through the course of doing business (in other words, information a customer doesn’t necessarily offer but is observed by the company)? How is this information used, both within the company and shared with any external third parties?

With all privacy details identified, the next customer-centric step is to provide it in plain language. While legal terms and conditions are required, demonstrate commitment to customers by summarizing the practices in terms they can understand and ask questions about.

Time and effort savings

Most companies have a single-minded purpose for collecting information about customers: to sell them more. From offering up additional products and services based upon the behaviors of similar customers to understanding the buying patterns of individuals better, this process is understandable from a sales perspective but also somewhat one-sided in terms of the party that benefits (hint: it isn’t the customer).

Opt to do something beneficial for customers: use their information–both that offered by them and inferred–to simplify customer service processes. Use knowledge of the products they own or services they use to reduce their effort when they need assistance, such as:

• Filtering knowledge base searches (allowing them to expand the search as needed)
• Limiting choices to only those applicable when creating a case online
• Initiating chatbot conversations around the most likely questions they have or issues they may be experiencing

Privacy-related requests

The cornerstone of GDPR is the unprecedented control it gives individuals over their data: everything from the right to see what data has been collected, the ability to edit it, see and restrict how it is processed, and the right to be forgotten (data erasure). While a huge win for customers and privacy, it does create a whole new set of potential service requests from customers.

But these types of service requests are not unlike other common ones that can be addressed using automation. Do you allow customers to view and change their personal information? Do you allow them to update communication preferences? Do you offer the ability to register warranties, track shipments, or request field service? Just as automation has created a self-service option for customers for issues such as these, so too can privacy-related requests be automated using workflow–and when they are automated, it makes it that much easier to offer this same peace of mind and control to customers not protected by GDPR or similar laws.

Win-win

Despite years of planning and one year in, companies around the world struggle with adhering to GDPR. For regions not regulated by it or similar legislation, customers continue to raise concerns about how their information is collected, used, and protected. While companies must adhere to GDPR where applicable or face the consequences, they do have choices to make for other customers.

It comes down to two matters: maintaining trust and compliance while delivering value. To deliver on that, provide visibility into privacy policies and practices in a manner that is understandable to customers; use information customers have shared to make their service journey effortless; and make it easy for them to exercise GDPR-type requests–even if GDPR protections aren’t mandated to them. Privacy is as important as any other business issue, and customers will only continue to demand better protection from the companies they buy from.