Making Data Protection Customer-Friendly at Scale

Most people experience data protection as a pop-up to get past, not as part of being looked after - and that’s a problem for trust.

In this episode of Digital Customer Communications: Regulated, we’re joined by Catarina Santos and Caine Glancy from Data Protection People, consultants who see the reality of hundreds of frontline data protection queries every month.

Together, Catarina and Caine share how organisations can make data protection genuinely customer friendly at scale, from the wording in a privacy notice to the way you handle a breach email on a customers' worst day.

We explore what customer friendly data protection looks like in practice, linking it to UK guidance on transparency, accountability, and consumer outcomes.

Why Customer Friendly Data Protection Matters

Ask most people what they think of when they see the words “data protection” and you’ll probably hear about cookie banners, long forms, and legal jargon.

But if you look at recent public attitude surveys on information rights, a different picture emerges.

People are cautious, increasingly aware of their rights, and much more likely to act when they feel something is not right.

That caution is not about hating data protection. It is about wanting to know what is happening, why it is happening, and how to stay in control.

For Catarina, a lot of the challenge comes from the way organisations frame their responsibilities.

"We have all these amazing concepts in data protection, but people mostly meet them as a barrier, not as a way of being cared for."

Catarina Santos, Data Protection Consultant

Customer-friendly data protection means flipping that experience around.

Instead of seeing transparency and accountability as a compliance cost, you treat them as conditions for trust, in line with the UK GDPR principles on lawfulness, fairness, and transparency.

Done well, you can meet your legal duties and your promises under frameworks like the FCA’s Consumer Duty, where clear communication and effective support are critical expectations.

Turning Privacy Information Into Something People Actually Read

One of the most visible expressions of your data protection approach is the humble privacy notice.

The UK GDPR right to be informed, backed by ICO guidance, sets out what people must be told, when, and in what level of detail.

But as Catarina and Caine point out, it is the how that often lets organisations down.

Customers are frequently met with a single, dense page that tries to do everything at once and ends up serving almost nobody. Regulators have been clear that you can do better than that.

ICO guidance on transparency in accountability frameworks and how to write privacy notices emphasises simple language, layered information, and testing notices with real users.

Catarina’s advice aligns closely with that direction. Instead of starting with a template, start with your customer journeys.

Ask what people are trying to do at each step, what might worry them, and what they need to know to feel comfortable.

Then use techniques highlighted in ICO guidance on methods for providing privacy information to meet those needs.

That might include short 'just in time' explanations alongside a form, icons in an app, or dashboard that shows what data you hold and use.

"If your privacy notice only makes sense to the person who wrote it, it probably isn’t doing its job."

Catarina Santos, Data Protection Consultant

What Frontline Queries Reveal About Real-world Challenges

While Catarina spends a lot of time on governance and design work, Caine leads the support desk that deals with the fallout when policies and reality collide.

His team handles questions from organisations across sectors on everything from subject access requests to breach handling.

That vantage point shows patterns that project teams don't always see. Some questions reflect understandable uncertainty about complex topics. But many, Caine explains, are symptoms of deeper issues.

"When you’ve answered the same question dozens of times in a week, it is not just a training gap - it is a sign that a process or communication is not working for people."

Caine Glacy, Data Protection Support Desk Manager

Support data can be a powerful source of insight if you treat it as feedback on your customer experience, not just as tickets to close.

Trends in questions about retention, access, or marketing preferences can show where your privacy information is unclear, where a product feature nudges people into unexpected data use, or where a legacy system is making compliance harder than it needs to be.

That loops back to the idea of data protection by design and default in ICO guidance on baking privacy into systems and processes.

If you treat the support desk as part of your design feedback cycle, you're more likely to build services that feel fair and predictable to customers.

Handling Breaches as Moments That Can Build or Destroy Trust

Few conversations are more uncomfortable than telling someone you have lost or exposed their data.

Yet, recent surveys from regulators and bodies like the ICO show that many people have already experienced a breach of some kind.

For Catarina and Caine, this makes the tone and timing of breach communication critical.

People are often dealing with anxiety, financial risk, or a sense of violation. An email that leans too heavily on legal language can feel detached or evasive. An update that arrives late, with little detail, risks damaging trust far more than the incident itself.

Effective breach communication means explaining clearly what happened, what you know, what you are still investigating, and what you are doing to protect people.

It also means being honest about uncertainty while committing to follow up as you learn more.

That approach aligns with broader research on public trust in data from organisations like the Office for National Statistics, which underlines how openness and responsiveness can rebuild confidence after mistakes.

Culture, Champions, and Keeping Privacy Alive

Both guests stress that policies and notices are only part of the story.

Long term, it is culture that determines whether data protection feels like a living part of your service or a one-off project that quietly fades.

This is where data protection champions, guardians, or ambassadors are vital. Catarina describes champions as people embedded in teams who notice when something feels off, ask questions, and make sure privacy is considered in everyday decisions.

They aren't there to replace specialist advice. They are there to keep the conversation alive between audits and training cycles.

Research into public attitudes to data and AI shows that people are increasingly sensitive to how their information is used in profiling, automated decisions, and new tools.

Organisations that stay close to those concerns, and adapt their practices as technology shifts, are more likely to maintain trust.

At Data Protection People, that culture building extends beyond client engagements.

Catarina and Caine also appear on the company’s own Data Protection Made Clear podcast, where they unpack real-world issues in plain language.

You can listen to their recent latest episodes on Digital Identity here.

Practical Steps for Making Data Protection Customer Friendly at Scale

So what can organisations actually do with these insights?

Drawing on the conversation and recent regulatory guidance, there are several practical moves that work across sectors.

Start With Journeys, Not Legal Clauses

Map the key journeys where you collect, use, or share personal data, and identify the moments where people might reasonably ask “why this data?” or “what happens next?”

Use those moments to provide short, well timed explanations, backed up by a fuller notice for those who want more detail.

Check that your lawful bases and purposes are consistent with what a reasonable person would expect, as set out in ICO guidance on lawfulness, fairness, and transparency.

Layer Your Privacy Information for Real People

Instead of a single, static privacy page, use layered approaches that combine headlines, summaries, and detail.

Draw on ICO resources like their guidance on the methods you can use to provide privacy information and their advice on writing clear privacy notices.

Test drafts with people who are not privacy specialists and iterate based on their feedback.

Turn Your Support Desk Into a Feedback Engine

Track themes in data protection queries and incidents, and feed those insights into product design, training, and governance forums.

If customers, colleagues, or partners keep asking the same questions about retention, rights, or marketing, treat that as a signal to revisit your processes or communications.

Use dashboards or simple reporting to bring those patterns to life for leadership teams.

Prepare for Breaches With People in Mind

Do not wait for an incident to happen before thinking about how you will talk to people.

Develop breach communication templates that cover the essentials but leave room to explain what happened in plain language.

Consider how your approach aligns with wider expectations on fairness and support under the Consumer Duty, especially for vulnerable customers who may need extra help to understand the implications.

Invest in Champions and Ongoing Conversations

Create a network of data protection champions across teams, with clear routes back to specialist advice.

Give them regular updates on regulatory guidance, case studies, and emerging risks, drawing on resources like ICO accountability frameworks and public engagement reports from bodies such as the ONS.

Encourage them to surface issues early, before they become complaints or reportable incidents.

You can follow the Data Protection Made Easy podcast on Spotify.

References

The Right to Be Informed, Information Commissioner’s Office, 2025

Data Protection by Design and Default, Information Commissioner’s Office, 2023

Transparency in the Accountability Framework, Information Commissioner’s Office, 2023

Principle (a): Lawfulness, Fairness and Transparency, Information Commissioner’s Office, 2025

How to Write a Privacy Notice and What Goes in It, Information Commissioner’s Office, 2023

What Methods Can We Use to Provide Privacy Information?, Information Commissioner’s Office, 2023

Public Attitudes on Information Rights Survey, Information Commissioner’s Office, 2025

Public Attitudes on Information Rights Survey, Information Commissioner’s Office, 2024

Public Attitudes to Data and AI: Tracker Survey (Wave 4), UK Government, 2024

What We Know From Engaging With the Public on Data, Office for National Statistics, 2023

Consumer Duty, Financial Conduct Authority, 2022

The New UK FCA Consumer Duty and Data Protection, Bird & Bird, 2023

FAQs

What Does “Customer Friendly” Data Protection Actually Mean in Practice?

Customer friendly data protection means meeting your legal obligations while designing journeys, notices, and support in ways that feel clear, fair, and predictable to the people whose data you use.

It is about making rights and choices easy to find and act on, not just publishing a long privacy page.

How Can Smaller Organisations Start Improving Their Privacy Notices Without a Big Project?

Start by identifying your highest traffic journeys and rewriting the key explanations in plain language, using ICO guidance on privacy notices for structure.

Then add simple 'just in time' messages where people are about to share data, linking to your full notice for more detail.

What Role Does the Support Desk Play in Data Protection Compliance?

A support desk is often where issues surface first, from rights requests to breach concerns.

If you capture and analyse those queries, they can highlight where policies, training, or system design need to change.

How Does Good Data Protection Support Consumer Duty Obligations?

Clear explanations of data use, fair profiling, and responsive support all contribute to good customer outcomes under the Consumer Duty.

Aligning your data protection practices with those expectations helps you demonstrate that customers are treated fairly and can make informed decisions.

Do We Need Data Protection Champions If We Already Have a DPO or Privacy Team?

Champions do not replace specialist roles, but they help bridge the gap between policy and day to day reality.

They can spot emerging issues in local processes, encourage colleagues to raise questions early, and bring practical context back to the central privacy team.

Reviewed by

Sam Kendall, 02.12.2025