Kirk Dobie discusses the impacts of GDPR on the contact centre, while highlighting what you need to do to stay compliant.
Despite the abundance of articles designed to shed light on the mystery that is GDPR, the new regulations still seem vague and alien to many organisations.
With the threat of fines of up to 20 million euros or 4% of group turnover, most companies are aware that something has to change. Few, however, know exactly what the regulations mean or whose responsibility it is to make the relevant changes.
Contact centres deal with vast quantities of personal data every day and security should be at the heart of all processes. There are key changes you need to make to ensure your organisation is compliant.
GDPR demands new levels of customer rights in the shape of transparent consent, access, control and security.
ISO27001, ISO9001 and PCI accreditation, DMA membership and DPA compliance will make the transition to GDPR compliance much easier. But while these accreditations provide a strong platform, GDPR also demands new levels of customer rights in the shape of transparent consent, access, control and security.
What Rights Does GDPR Give to the Individual?
GDPR is designed to protect the rights of individuals to control how their data is used.
Companies must make alterations, confirm permissions, justify the holding of data and provide a comprehensive record of all data held regarding an individual upon request. The new regulations are designed to give consumers the following rights:
The right of access – “What personal data are you storing on me?”
The right to rectification – “You have my date of birth wrong, please change it.”
The right to erasure – “Delete me from all of your databases.”
The right to restrict processing – “I don’t want to hear about your product again.”
The right to data portability – “I only want to hear from another part of your group.”
The right to object – “I don’t want any more research calls from you.”
Rights in relation to automated decision making and profiling – “Why are you calling me?”
The right to be informed – “Where did you get my details, when did I give you consent?”
Consent under GDPR must be a freely given, specific, informed and unambiguous indication of the individual’s wishes with a clear affirmative action – or in other words, a positive opt-in.
Consent cannot be inferred and it must also be simple for people to withdraw.
You may be aware of subject access requests, going forward consent must be quickly and easily verifiable, i.e. what was the date, method, who and how was consent given?
In summary, GDPR requires that personal data must be:
- Collected for specified, explicit and legitimate purposes
- Processed lawfully, fairly and in a transparent manner
- Adequate, relevant and limited to what is necessary
- Accurate and kept up to date and personal data that is inaccurate, erased or rectified
- Kept in a form which permits identification of data subjects for no longer than necessary
- Processed under appropriate security
Who Is Responsible for Compliance?
In the past the responsibility fell to both client ‘data controllers’ as the ultimate data owners and ‘data processors’, suppliers who carried out tasks with the data such as making calls.
If you are a processor, the GDPR places specific new obligations on you, for example you will be required to maintain records of personal data and processing activities. You will have new and significant financial liability if you are responsible for a breach, especially if you do not admit to it and repair it as quickly as possible.
If you are a controller, the GDPR places further obligations on you to ensure your processors comply with the GDPR. As a controller, you should ask your data suppliers about their GDPR compliance plan – they need to adhere to it just as much as you do.
GDPR applies to processing carried out by organisations operating within the EU and to organisations outside the EU that offer goods or services to individuals in the EU.
As a footnote to this, GDPR applies to processing carried out by organisations operating within the EU and to organisations outside the EU that offer goods or services to individuals in the EU.
The Compliance or Data Protection Officer
Many businesses have made changes already and taken steps to hire an experienced Compliance or Data Protection Officer. If your business has appointed such a person then you should already be very aware of GDPR, the changes your business must make and the potential impact to your business.
The bulk of their job description relates to:
- Informing, advising and monitoring the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.
- Managing related activities, advising on data protection impact assessments and conducting internal audits.
- To be the first point of contact for all data issues and procedures, reporting to the highest level of your organisation and operating independently.
- To ensure they have adequate resources to enable your organisations GDPR obligations and run Data Protection Impact Assessments.
What Does My Organisation Need to Do to Become and Remain GDPR Compliant?
Here is a list of five key things that a contact centre must do to ensure GDPR compliance.
1. Audit your business, identify risks, manage and constantly seek to reduce risk
GDPR compliance is an ongoing process which requires constant monitoring. Ensure that regular assessments are conducted to minimise risk.
2. Map processes, cleanse, update, track and re-permission personal data when required
Individuals now have the right to understand and control how their data is being used. By implementing a thorough mapping and update process and verifying consent you can respond easily to requests for access and changes.
3. Gain stakeholder and customer trust that any personal data is properly protected
Ensure your processes are transparent and make policies clear and accessible to build trust. Be proactive about achieving compliance to demonstrate to stakeholders and customers that data protection is a key priority for your organisation and use it as an opportunity for differentiation from competitors.
4. Apply detailed assessments across your business, IT, HR, finance, marketing, legal and procurement and not just at the sharp end – on the phone!
GDPR compliance is not simply the responsibility of a single person. Monitor implementation across all departments and levels to meet the terms of new regulations.
5. Safeguard your organisation’s reputation and avoid adverse publicity and liability while preventing potential fines
GDPR is designed to make a positive change to the way in which our data is used. If you embrace the changes as an opportunity to build better connections, your organisation will adapt successfully. Making small changes demonstrates your efforts to comply and shows that your organisation is moving in the right direction.
The new regulations offer an opportunity for more sophisticated data analysis, better insights and stronger customer relationships as a result. It will be up to your company to make the most of GDPR and turn it into one of your company’s strengths, rather than a worrying weakness.
Are there any other ways that you would suggest a contact centre can stay compliant?
Please share your thoughts in the comments section below.
This article was written by Kirk Dobie, a Senior Consultant at Customer Plus.