X - Thou shalt be accountable for customer data

The obligation of accountability

There was a time when companies would point the finger at each other and say: “they are responsible for what happens to customer data, not us.” But no longer. Today, every company – whether you collect, store or buy data – is accountable for the data that crosses their desk.

We’re strong advocates of companies being held accountable for the data they collect and process. But don’t just take it from us. As a matter of fact, accountability is one of the 7 core principles of the EU Data Protection Law. Of course you know these by heart, but just in case: here are the 7 principles again:

1. Lawfulness, fairnessand transparency (‘be open, honest, fair and follow the law’)

2. Purpose limitation (‘define accurately what you will use the data for’)

3. Data minimization (‘only collect the data you need’)

4. Accuracy (‘the data should not be incorrect or misleading’)

5. Storage limitation (‘how long will you keep the data?’)

6. Integrity and confidentiality (‘how are you securing the data?’)

7. Accountability

So when we say accountability is a commandment, we’re not talking metaphorically for once. Taking accountability for your data is an actual obligation. So what does accountability entail exactly?

Treat data like a bank treats money

Although transparency is defined as a separate principle, it’s closely related to accountability, since being accountable requires you to be open and transparent to your customers about how much data you collect, why you collect it and how it improves the customer experience. To explain this in more detail, let’s consider how a bank looks at their customers’ money. Here, accountability operates on three levels.

Functional level

If a bank stores money, the money still belongs to its clients. But the bank is responsible for keeping the money safe. Even though you store customer data on your (cloud) server, the customer remains the owner of this data. It means they have the right to view, change or delete their data, hence the right to be forgotten. Another aspect of the functional level is security: you are responsible for keeping the data secure, and taking responsibility in case of a data breach.

Regulatory level

When you collect and store data, you have to make sure you gather this data through correct consent management. In other words: your customers must explicitly consent to sharing their data, and you only have the right to operate within the scope of this consent. Much like banks are also strictly regulated on what they can do with your money.

Systemic level

Every system that deals with data in one way or another needs to be under your control. In other words: you need to be able to adapt and change systems quickly when it is required (for instance, upon customer requests). If the customer of a bank requests not to have high risk investments in their portfolio, the bank needs to be able to immediately follow up on this request.

If you’re automating certain data streams (for instance with recommendation engines or automated personalization), you need to be able to monitor and overrule the algorithm and install the right level of accountability.

The correct way to handle customer data

When dealing with customer data, adhering to these principles will assure legal – and ethical – compliance:

• Be transparent to customers about how and why you collect data

• Secure the data as best as you can, and be responsible for the consequences in case of a data breach

• Only collect data that your customers allow you to collect

• Make sure you can explain how this data will improve their customer experience

• Have processes in place to overrule the data systems when the customer asks for it

• Work with the right technology that enables you to monitor and process data