Principle 4: Trust
Don’t Surprise the Customer
The principle is very simple, but it shouldn’t be underestimated. It is very often a bad idea to change how customers’ data is collected, especially if the customer has not been notified or asked beforehand.
How to keep the Trust?
If a company, or a state for that matter, has collected data for a given purpose, but the data subjects find out that the purpose has been changed without notification, they will probably lose trust in the company or state. And who can blame them?
Likewise, if the data subject gives her consent for her data to be used for one purpose, but it turns out that the company or the state actually used the data for another purpose, the data subject will probably lose trust in the company or state (provided they had this trust in the first place). This is also related to the Principle of Consent.
Consistent with the GDPR
One should also make sure that it is sufficiently clear for the customer, exactly which data are being collected, and what the purpose is. This should be done before the initial collection of data, but it should also be repeated whenever changes are made to the collection or use of data. If this is not done, then the Principle of Consent (Principle 3) will also be violated.
The Principle of Trust could also have been called “The Principle of Transparency”. In its essence, the idea is that the entire data process, from the data collection to the use of data, should be as transparent as possible to the data subject.
The reason why we call it “The Principle of Trust”, is that transparency often means that the data collector is passive. But if you want to make sure that the customer is not surprised, it will often require an active effort from the data collector. Few things are harder to gain, and easier to lose than trust. That’s why we say “Don’t Surprise the Customer”.
Don’t Surprise the Customer.