How does a stolen wallet connect to GDPR?

In my twisted mind, it was an easy connection. They are both an opportunity to either solidify or destroy a customer relationship.

Let’s start with the wallet. En route to Amsterdam, my wallet was stolen. After a tense couple of hours in Heathrow Airport, a rescheduled flight to Amsterdam, and several British Airways and American Airlines representatives looking on planes, in lost-and-found areas and anywhere else they could think of, the conclusion was made…the wallet was gone.

My first call was to the card company that claims that membership has privileges. It is a brand promise—a pledge that by choosing this card, there will be support that goes beyond just being a cardholder or customer. You, while clutching this sliver of plastic, are a member. Sadly, after seven phone calls and 24 hours, membership proved to be an invitation for accusations and partial information, leaving me without assistance or a replacement card while traveling internationally.

During the course of my conversation, I asked the rep if they had all of the information about my account in front of them as the previous five people didn’t seem to have a clear picture of the account, revealing limitations to what could or could not be done at the conclusion of every call. This poor rep said, “That’s not how our system is built. We get one screen at a time because having too much overwhelms us, so this helps make it easier on us.” When I asked, “Well, what if you can’t find the right answer or give the customer the right recommendation or action?” he responded, “Then it is up to the customer to call us back and start over again until the right outcome is achieved.”

I was also told that because of the “type” of customer I was, the promises of membership changed. Because I was a corporate cardholder, the promise was extended to my company, not me. The promise was to eliminate fraud, and because I was “too insistent in receiving a card outside of protocol,” it was an indicator that I could be requesting a fraudulent action, so now additional protections to their “member” needed to be put into place. After all, I could be stealing from the company.

When I asked how they could help me, as a cardholder and traveler who was overseas without my card, they said they had a traveler assistance program that they could connect me with, which was a different department and to which I was transferred, and they did not answer the line. I was quite literally left hanging.

Clearly, the privilege of membership is access to a toll-free phone number to call back, free of charge, and being accused of fraud in the midst of a chaotic and distressing time.

On the other hand was the hotel in which I was staying. I should start by saying that I am a loyal Hilton customer and have been for years. That loyalty has brought about the elusive Diamond status conferred on those of us who spend more time at the home away from home than others. But even before knowing my status or loyalty level, the front desk at the Hilton in Amsterdam’s Schiphol airport had already started problem-solving and taking care of me, offering assistance to replace my passport, if needed, and asking me first and foremost how I was doing. They checked me in, and when I offered to put what cash I did have with me as a deposit on the room, they refused, telling me they would rather I hold onto that for use while in town.

They told me to go to my room, get something to eat, try to get some sleep and come down in the morning to figure out what to do with the billing and charges. There were no accusations of fraud, no telling me which “other department” needed to be contacted, and no making me feel like I was somehow making bigger problems for the person on their side of the desk. They even sent me a giant bottle of water with a note saying they hoped that the next day would be better than the day I had already had.

With gestures of human kindness and empathy, they solidified my loyalty.

So how does this relate to GDPR? How we treat our customers is a choice—we can choose to act with empathy, or we can act like scripted machines in search of an opt-in date for record. By now, like I have, you have likely received an avalanche of privacy notice updates and opt-in explanations. We have a choice in how we communicate what we are doing with our customers’ data. We can clearly explain, understand their concerns and ask for permission, or we can jargon people into submission and compliance.

It will also be a choice of how we will act moving forward. We have the choice to live up to the spirit of the regulations and legislation by understanding why it was put in place: to fundamentally secure and protect the privacy of the average consumer and return a modicum of control back into their hands. We can respect that spirit and leverage data to return value and improve the customer experience, or we can flaunt their opt-in date confirmation in their faces and send out self-serving communications that put products before customers and basically telegraph that what matters most to the brand is the purchase and not the relationship.

Let me be clear: GDPR is a pain. It is an eye-rolling, confusing, painful regulation that makes me want to volunteer to read War and Peace again instead of reading the full regulatory document. It is full of jargon and language that makes little sense and seems to fold back in on itself like a scene from the movie Inception. But at its core, it is a promise to our customer that we will be respectful and responsible.

In my stolen wallet drama, there were choices that companies could make: Assume I was up to no good or assume that what I needed most was kindness and support. With GDPR, the choice is ours—empathy or apathy. To borrow from Maya Angelou, “We all have empathy. We may not have enough courage to display it.”

It’s time to show our courage!

Your comment will appear on this page upon moderator's approval