Consumer trends report emphasises the importance of data privacy and its value to businesses

What happened

• A recent study from PR agency WE Communications looks at consumer trends in data privacy since the pandemic and how brands can take a proactive approach to privacy management.
• The Privacy Mandate New Normal, New Rules survey was conducted in partnership with YouGov on more than 5,000 consumers and B2B decision-makers from the UK, US, Australia, China, India and Singapore.

Key findings on a global level include:

• 65% of individuals surveyed said that they want a comprehensive picture of how their data is gathered, as well as control over how it’s used and shared with third parties.
• 84% of individuals surveyed said they would either stop or reconsider doing business with a brand that does not proactively share its approach to collecting and protecting data.
• 87% of consumers will reconsider or stop doing business with a brand that asks for information that isn’t relevant to its product.
• Nearly 9 out of 10 consumers said they will take the tough stance of cutting ties with businesses and brands based on their privacy and confidentiality standpoint.

Key findings specific to UK consumers include:

• 89% of individuals surveyed want to choose when and how they give access to their personal data.
• Interestingly, only 29% of UK consumers said they’d be happy for brands to collect their data to receive a better service, less than any other market participating in the survey.
• Government agencies are deemed most trustworthy in handling personal data compared to brands, social media sites and e-commerce platforms.

Why it matters

• Businesses must take the initiative in making data privacy a compelling, relevant part of their relationships with customers. This has become increasingly important over time, as privacy regimes continue to amplify globally, and the average customer’s awareness of data protection requirements has risen.
• How consumers view a brand’s business ethics can be significantly influenced by their stance on data privacy. Consumers are paying greater attention to company privacy policies to learn about the principles hidden behind the brand name, in the same way that consumers are now checking how a company’s actions affect the environment and are trying to buy from more sustainable brands.
• For businesses willing to talk to customers about data protection and promote openness and transparency, the survey’s findings demonstrate that the benefits to businesses are substantial.

Examples of ways for your organisation to demonstrate data protection compliance and transparency include:

• Review existing privacy practices and associated privacy notices to identify any areas of improvement, taking into account all of the GDPR principles. For example, consider whether it is possible to provide the same service whilst collecting less data and ensure that access to data is limited strictly to those with a legitimate business need.
• Ensure your organisation’s privacy policy meets best practice requirements and is accessible to the average user. This includes making it clear and concise and explaining how the data that you’re collecting benefits the user.
• Ensure there are dedicated, suitably trained data privacy professionals on hand to oversee the data privacy framework within your organisation e.g. a Data Protection Officer. Their contact details should be easily accessible to your employees, the ICO and to customers whose personal data you process.
• Remind your customers that the ball is in their court by enabling easy data management through your websites and other customer-facing platforms. Do this by offering offer strong privacy defaults, user-friendly options and controls, and respecting user preferences.
• Consider what technical measures you can put in place to assist your organisation in complying with the data protection principles and implementing data protection by design, such as through the use of privacy-enhancing technologies.

What happened

• In a significant ruling this month, the Court of Justice of the EU (CJEU) opted to interpret the definition of ‘special category’ personal data under Article 9 of the GDPR broadly, which could greatly impact how such data is handled by organisations subject to the EU GDPR going forward.
• The case was initially brought about by an issue with the application of Lithuanian anti-corruption legislation, which requires that anybody receiving public funds present declarations of interest. These disclosures, along with information on the person’s “spouse, cohabitee, or partner’s” interests, were made available online.
• As part of this case, the CJEU ruled that, because it is feasible to infer details about a person’s sexual orientation or sex life from the name of their partner, posting that information online constitutes an indirect disclosure of special category data, which is covered by Article 9 of the GDPR.
• By implication, the same rule applies to inferences connected to other types of special category data, which includes data revealing or concerning any of the following:
  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • genetic data
  • biometric data (where used for identification purposes)
  • health
  • sex life and sexual orientation

Why it matters

• The CJEU’s interpretation will be applicable to a wide range of other data processing scenarios that might imply information that is subject to Article 9 of the GDPR. For instance, processing of location data or dietary information that might suggest a person’s religious or philosophical ideas or posting a photo that implies a person’s disability.
• As a result of the decision, all organisations subject to the EU GDPR may need to review their current processing activities in order to rule out a too-narrow interpretation of what constitutes special category data.
• This would involve carefully considering whether the type of data being processed, coupled with the manner of the processing itself, could lead to an indirect inference of information which constitutes special category data.
• Where any such special category data could be inferred, organisations would be required to adapt their compliance position in response to the ruling, which for example would include:
  • Identifying the Article 9 GDPR lawful basis used to process the underlying special category data
  • Considering whether it may be necessary to obtain explicit consent from data subjects for that processing
  • Update privacy notices accordingly to reflect the processing of special category data
  • Assessing whether, in light of the data now being deemed more sensitive, the processing activity meets the criteria for completion of a DPIA.
• Xcina Consulting will closely monitor the developments on this issue, including any regulatory guidance released in response to the judgment, and provide updates as they occur.