GDPR codifies into law something that should be considered elementary: customers own their own personal data. When it comes to customer privacy, there should be no distinction between the interests of the business and the interests of the customer writes, Lewis Barr, General Counsel and VP, Janrain

With the effective date of the European Union (EU) General Data Protection Regulation 12 months away, many companies selling into the European market are conferring with their data processors about how they will satisfy customer requests exerted under their GDPR rights, including the rights to access their personal data, have it transferred have it deleted, among others.

I recently sat down with the CISO of a company with several well-known retail brands to discuss the service functionality his company sought in order to enable compliance with customer requests made under the GDPR. During the course of our discussion, the CISO recognized the benefit that a unified customer record would provide in meeting data subject requests for access, portability and deletion while indicating there was some squabbling among his company’s brand managers over ownership of the customer data. After further discussion, he recognized what his brand managers did not—that none of them owned customer personal data, the customer did, and that enforcement of the GDPR would reinforce customer ownership.

A GDPR satori for the CISO? Maybe. But after that meeting, I had a little satori of my own: for a business focused on customer success, when it comes to customer privacy, there should be no distinction between the interests of the business and the interests of the customer. You might call it the nonduality privacy principle.

A customer reasonably wants his or her privacy respected and to provide only the information necessary to accomplish a clearly understood purpose , whether it is to participate in a loyalty program, be informed about personalized services, or contribute to a non-profit’s campaign. Indeed, a late 2015 Forrester report found that one-third of consumers have canceled transactions due to privacy concerns. As the awareness of GDPR privacy rights will grow, we can expect this linkage to increase. For its part, the business seeking to use the customer’s personal data recognizes that respecting the customer’s privacy is a reflection of respect for the customer and will help establish or grow the customer-business relationship and trust in the brand. The enlightened business understands that good customer service includes informing the customer about why the business is requesting the customer’s personal data and how the business will treat the data, and then treating the data accordingly.

Both the well-informed customer and the enlightened business recognize that when done right, the processing of personal data is part of a mutually satisfying business transaction. The same can be said of honoring data subject rights under the GDPR.

That many businesses are slowly awakening to the recognition that honoring customer privacy is a key component of good customer service brings to mind the slow development of customer-friendly return policies. Check out if you want to show your customers that you respect them. But businesses with well-deserved brand loyalty, such as Patagonia and Amazon, figured out a long time ago that a favorable return policy is an important factor in the customer’s purchase decision. Now, the business that respects a customer’s privacy, like Channel 4 in the United Kingdom, makes it easy for the customer to assert his or her data rights, and honoring them will not only help enhance its brand by doing so but be that much closer to GDPR compliance.