Data protection: How will customers react to new legislation?


The Data Protection Bill passed its second reading in the House of Lords on the 10th October. With the Bill now making its way through UK Parliament ahead of the introduction of the General Data Protection Regulation (GDPR) on 25th May 2018, Baringa Partners researched consumer attitudes towards data protection. Our results reveal companies risk losing up to 55% of customers if they suffer a significant personal data leak. 

We looked at consumer attitudes towards companies in the banking, insurance, energy, and TV, phone & internet sectors. We found that, in the event of a data breach, 30% of people would switch provider immediately and a further 25% would wait to see a media response or what others say and do before switching to another provider. But there are some steps which companies can take to reduce their exposure to data breaches or hacks. 

Companies are exposed to the risk of hacks or unauthorised use of data where multiple versions of customer information are saved on different systems. This potential threat to customer retention highlights the investment choices companies need to make ahead of GDPR, for the sake of their business. With over half of customers at risk of switching to a competitor in the event of a major data breach, companies urgently need to demonstrate they have strong data protection policies in place. The introduction of GDPR will expose those companies with insufficient or flawed practices; the consequences of this could be disastrous. 

The next stage for the Data Protection Bill will involve a line by line examination of the Bill following a largely unnoticed second reading, and is therefore unlikely to be closely followed by the public. However, an ongoing High Court case may raise the profile of data protection issues and subsequently lead to more customer inquiries about what personal data companies hold and how secure it is. 

WM Morrison is currently involved in the UK’s first data leak class action following a security breach in 2014 where over 100,000 employee records were made public by a disgruntled employee. The outcome of this case has huge implications for organisations; primarily, the risk of having to pay out staggering compensation payments to the many individuals affected by a data breach. If companies don’t get their data protection policies in line ready for GDPR, this type of case could become much more prevalent.   

The reputational damage following a high-profile data breach could have even greater implications for businesses. Other firms should look closely in the coming months at how WM Morrison responds to its court case and if its actions change public views of the brand. It seems unlikely that the supermarket will leave the trial with its reputation intact.   

In the past, organisations have (possibly complacently) relied on short-term memories when it comes to reputational damage. Many brands caught up in tax avoidance scandals, for example, have continued to make a profit – even those that saw customers leave and vow never to return. Organisations may take the gamble that although some customers may switch provider in response to a data breach, others will just ignore, accept or forget it – and indeed, over time plenty of ex-customers may even return.   

But, with GDPR and the Data Protection Bill explicitly providing for compensation payments to affected individuals, data protection breaches will be in the public eye for much longer. In the very near future, with the increased likelihood of class action-style law suits following breaches, scandals could see many more customers walk out the door, without the possibility of them returning.   

Under GDPR, companies will also experience an increase in data breaches. This is because most companies don’t think about data breaches in the way that GDPR describes them. Companies have long been using customers’ personal data for their own purposes and, as a result, have become less conscious about what regulations say is an acceptable use of personal data. With the introduction of GDPR, there will be an increase in regulation and firms will struggle to not to breach it.   

An increased number of reported data breaches will also impact on consumer trust. Our research shows that, on average, 64% of customers trust companies with their personal data; mostly based on their established brands or strong reputations. Specific data practices, such as transparency relating to data privacy policies or using data for reasons other than its original purpose, have less impact on trust levels around personal data.    

It’s clear that the majority of customers, by and large, trust businesses with their data. But it’s also clear that businesses cannot afford to be complacent. Trust may be based on reputation and loyalty rather than specific data practices, but this is a false distinction to make: if companies fail to shore up their data defences, it is their brand that will take the hit.   

Another issue that often arises following data breaches is that customers suddenly realise how much information their service providers hold on them and what was lost. Across the industries we looked at, on average 56% of consumers didn’t how much of their personal data was held by companies and therefore at risk in the event of a data breach. When GDPR comes into force and companies have to comply with a customer’s request to see what data a company holds on them, consumers may well have their eyes opened and limit the data they share.   

With our research showing that nearly half of all consumers don’t feel that they get enough communication from their service providers on their personal data, GDPR presents an opportunity – not only to enhance data protection, but also to proactively engage customers and explain what personal data is processed and why. This is a real chance for responsible companies to set themselves apart. 

Daniel Golding,  Director at Baringa Partners 

Image Credit: Wright Studio / Shutterstock