This handbook uses the term “service providers” to refer to private sector organisations that offer goods and services to customers. Service providers in the retail, communications, social media, travel, financial services and other consumer sectors routinely gather and analyse data about their customers, as well as about other aspects of their operations. This information is then used to inform business processes and to differentiate between consumers. This is done in order to target consumers with products and services. Because this targeting process (called “customer relationship management” or “CRM”) gathers information that is then used to influence consumer buying behaviour, it is surveillant in nature.
In some of these sectors, such as social media, the analysis and sale of customer data is the core business model. Some business sectors, such as travel, communication and financial services, are required by law and/or court orders to pass customer data to the government for national security purposes. This raises a set of concerns not only about data sharing and use of customers’ data, but also about how customers perceive brands, products and services.
To increase resilience to surveillance, service providers can reflect on the following questions:
- Has the service provider undertaken a privacy impact assessment (PIA) in relation to the customer and business information-processing it provides?
- Is the profiling and/or monitoring of consumer groups (for example, of their behaviour, intention, sentiment, location or movements) intrusive? Would the service provider be comfortable if this profiling or monitoring was applied to his or her family and friends?
- How are consumers made aware of their data protection and privacy rights when they purchase a product or service from the service provider? Has the service provider made consumers aware of the extent to which it processes information about them? What measures has the service provider taken to enable consumers to contact the service provider for clarification about the information collection, processing and sharing it undertakes?
- How easy is it for consumers to locate the data protection officer in the service provider’s organisation and to make a request in respect of the information that the service provider holds on them? Is the service provider devoting adequate resources to ensure its compliance with data protection regulation?
- In what respects could the service provider improve data protection compliance within its organisation (for example, in relation to data anonymisation, retention, storage, consent, security or data protection training)?
- Is it appropriate for the service provider to undertake branding or marketing activity that reinforces privacy as a brand value? How might this benefit its market position?
- How would consumer trust in the service provider’s products or services be affected if it were revealed that the service provider had collected and shared information about consumers without their knowledge? What is the likelihood of this occurring?
- In respect of the service provider’s organisation, what mechanisms of redress are available to customers whose information is incorrect, or has been wrongly or maliciously processed or shared? To what extent are the service provider’s customers aware of those mechanisms? Are they made explicit on the organisation’s website or in documentation sent to customers?
- Can the service provider envisage how the receipt of lower quality or higher priced offers, based on customer profiling, may adversely affect the lives of different groups of consumers? What alternatives are available for disadvantaged consumer groups?
- Would the service provider’s segmentation criteria be legal when compared to the gender, race, disability and age-related discrimination legislation?
- If the service provider is required to pass customer information to its national government, under what circumstances and with what effect can it refuse to comply with these requests? Has it ever done so?
- Has the organisation been adequately resourced to deal with government requests for information?