How Will GDPR Affect the Call Centre Industry?

Our panel of experts assess how the new GDPR regulations, which will come into effect in May 2018, will impact the contact centre industry.

Customers Will Be Able to Access Personal Data Without Incurring a Charge

The 99 articles which comprise GDPR are intended to inspire confidence in customers that companies can be trusted to protect their personal data in terms of its storage and use.

Amongst other things, an individual will have the right to request any of the following without incurring charge:

• Access to all their personal data in a structured digital (and commonly used) format (e.g. a csv or text file). To be fulfilled within one month of request.
• Erasure of all their personal data, without undue delay. This will include all data records and call recordings.

So, are you able to easily identify all records relating to an individual and fulfil the above in a timely fashion? Are your contact centre staff able to process and track the progress of such requests? These are the questions that contact centres will need to ask themselves.

Fortunately, the regulation also provides some suggestions for how to meet the requirement. In the case of the above, it suggests self-service is the best method. So providing an online portal for customers to immediately access their own information would be one way to ensure compliance.

The Fines for Data Breaches Will Be Substantial

Be under no illusion, GDPR will have an impact on all areas of a business and, as a major touchpoint for the collection of personal data, this will affect the contact centre.

One part of the regulation raising eyebrows is the size of fines for data breaches, which can be up to €20 million or 4% of annual worldwide turnover for the previous year (whichever is highest).

The size of fines for data breaches can be up to €20 million or 4% of annual worldwide turnover for the previous year (whichever is highest).

Paul Cunningham

Data security should be at the heart of any new projects or systems that a contact centre is currently planning. It should audit all existing contact centre systems to ensure they comply with international security standards to minimise the risk of a data breach.

Also, companies should assess the impact of a data breach at any given part of its contact centre infrastructure.

There are less than 6 months before GDPR comes into force –contact centres should be preparing now!

Thanks to Paul Cunningham at Bright

GDPR Will Require a Team to Monitor Implementation

To make the most of GDPR it is vital that they empower a team to fully audit and monitor GDPR implementation. This team will consider every aspect of how customer data is captured stored and transferred across borders.

GDPR should lead to a paradigm shift in the way that companies organise themselves and approach aspects of the business.

By prioritising gaining customers’ consent over volume metrics like the number of email addresses in their database, brands will be challenged to communicate with their customers in new ways. This will help to build deeper, longer-term connections with a more engaged customer base.

In return, these connections will lead to higher satisfaction and more referrals, benefiting the brand through revenue generation.

GDPR is a catalyst for change, but companies need to understand and treat GDPR as an ongoing process that must be continuously finessed and progressed with time.

Thanks to Shahzad Ahmad at Genesys

Businesses Will Need to Justify Call Recording in One of the Following Six Ways

The main change that GDPR will bring to the contact centre industry is that they will have to able to justify the requirement to record in the first place.

To be able to record calls, businesses must meet one of the following six reasons:

1. The people involved in the call have given consent to be recorded
2. Recording is necessary for the fulfilment of a contract
3. Recording is necessary to fulfil a legal requirement
4. Recording is necessary to protect the interests of one or more participants
5. Recording is in the public interest, or necessary for the exercise of official authority
6. Recording is in the legitimate interests of the recorder, unless those interests are overridden by the interests of the participants in the call

For contact centres which currently state that recording is for training or quality purposes, the main area of change will be around gaining consent from the individual. This means, right now contact centres should be working on their recording policies and defining their needs and working out how they will obtain the consent of the individual.

It may even be necessary to appoint an internal Data Protection Officer (DPO) to ensure compliance to GDPR across the board.

Thanks to Atiq Rehman at Business Systems

GDPR Will Bring Significant Outsourcing Considerations

The forthcoming GDPR introduces an immediate need for contact centre managers to fully understand the implications that this legislation will bring operationally.

This includes the operations of any outsourcing partners. Organisations who choose to outsource their contact centres need to be aware that they are still the data controllers, and must take steps to ensure that their respective service providers have systems and processes which are compliant with the GDPR.

With data protection being the crux of the regulation, all software that can be linked to the contact centre must be GDPR compliant.

The rights of data subjects (such as access to their data and receiving copies of the data) need to be supportable by all these platforms, and may require new business processes in order to comply.

Organisations Will Need to Demonstrate Their Commitment to GDPR

It should be recognised that showing intent is key to reducing the likelihood of large financial penalties and damage to your organisation’s hard-earned reputation.

Small steps such as implementing secure printing or enforcing clear desk policies (where personal data, passwords etc. simply cannot be left around) are seen as showing intent in the eyes of the enforcer.

While these steps won’t make the contact centre compliant, they will kickstart the programme, raise the awareness of the importance of data protection and the GDPR, and finally reach the point of compliance.

Contact centre leaders need to work closely with whoever is running the GDPR programme, and should familiarise themselves with the regulation information at .ico.org.uk.

Thanks to Barry Reynolds at Olive

Contact Centres Will Have to Review Data Storage and Accessibility

The new legislation means that contact centres will need to go beyond card data to secure all personal customer and employee data as described in GDPR as personally identifiable information (PII).

Additional requirements include the right for individuals to be forgotten, data transfer, visibility and access to any registered data. Therefore contact centres will need to look out for where data is stored, its relevance and accessibility.

The good news is contact centres have long been aware of the importance of keeping customer and employee data updated, relevant and safe, therefore should be well prepared for GDPR.

Thanks to Thomas Rødseth at Puzzel 

PCI DSS and GDPR Will Complement One Another

In essence, PCI DSS and GDPR complement each other, and organisations already PCI DSS compliant will find that it’s relatively straightforward to enact GDPR compliance  alongside what they already have in place. Complying with PCI DSS can also be used to help prove GDPR compliance.

Organisations already PCI DSS compliant will find that it’s relatively straightforward to enact GDPR compliance.

Simon Beeching

If an organisation is PCI DSS compliant, then it will already be conducting annual reviews of the card data that is being processed, as a requirement of its compliance. The aim of this is to ensure that any new technology that has been introduced, or new processes that have been implemented, are included within your PCI DSS compliance.

Having this schedule of reviews provides a framework that can also be used when implementing GDPR, giving the contact centre an advantage over organisations starting from scratch.

Likewise, if an organisation is PCI DSS compliant, then it may well have already invested in secure technologies, encryption, auditing, firewalls, logging and so on.

Once the contact centre identifies the additional personal data the organisation needs to protect under the terms of the GDPR, then it may already have the technology, processes and procedures in place to protect it. The technology already being used for PCI compliance can be extended into this new arena in many instances.

Thanks to Simon Beeching at Syntec

GDPR Will Bridge the Gap Between Technology and Regulatory Requirements

GDPR is about enforcing better data processes, and a “privacy by design” approach, one that would shift the compliance paradigm from a “tick the box” attitude to a more proactive one. Privacy and transparency are key components of this approach.

But how can the contact centre take this approach? The GDPR is largely non-prescriptive and only sets the ground for a methodological change. Nonetheless, some clues can be found in the text of the law, and especially from the commitment to state-of-the-art solutions.

How does that help contact centres? It helps in bridging the gap between regulatory and tech requirements. With GDPR, contact centres must ensure that they use technologies that enable them to reduce their costs and consolidate their compliance practice.

To do this, contact centres can leverage analytics to be able to follow the flow of data, using solutions such as NICE’s Compliance Center, which addresses the needs of advisors with notifications, dedicated workflows and compliance officers. This technology is also equipped with dedicated compliance applications for recording assurance and policy management.

Thanks to Pearl Lieberman at NICE

Advisors Will Have to Be Taught About GDPR Compliance

Advisors will no doubt have to be trained in key aspects of GDPR, such as:

• How to deal with requests to access personal data
• Consumer requests to correct such data
• The consumer’s ‘right to be forgotten’
• How to gain consent to use personal data

But is teaching advisors these things enough? Simply recording your calls and doing random compliance checks will not provide confidence in your compliance.

To be more certain of GDPR compliance, call centres could capture and analyse every customer interaction. This will show that your advisors are correctly asking for the customer’s consent, or properly documenting revocation of consent. And if they not, the contact centre will need to be able to quickly identify which advisors need specific GPDR coaching to correct the problem.

Consumers are becoming increasingly aware of their rights over their own data. They have very clear expectations about how their data is handled when they call in or interact online, and these expectations are heightened with GDPR. This will mean advisors will need GDPR guidance.

Thanks to Frank Sherlock at CallMiner

Businesses Will Need to Make It Easy for Customers to Access Data

Organisations need to make it as easy as possible for their customers to access the data held about them and edit what is there.

To do this, many businesses will need to upgrade their current infrastructure and systems, with one possible approach being the implementation of IVR systems that support this self-service approach.

Organisations need to make it as easy as possible for their customers to access data held about them and edit what is there.

Jeremy Payne

This whole approach is part of a wider trend where consumers gain ever-greater control of their own data, including the right to ‘turn it on and off’ as they see fit.

By ensuring the customer benefits from allowing them access to and use of their data, businesses can build strong bonds of trust and drive incremental revenue streams and ultimately competitive edge.

It’s a key part of the way businesses are resetting their whole approach to data and addressing the challenge while capitalising on the opportunities of the new GDPR age.

Thanks to Jeremy Payne at Enghouse Interactive

Organisations Will Learn to Look Beyond the Minimum Viable Compliance

While it’s easy just to focus on the potential penalties of GDPR non-compliance, it is beginning to seem as though organisations need to look beyond minimum viable compliance.

GDPR should be seen as an opportunity for brands to get their data in order, effectively creating a single, permission-based customer view that extends right across the end-to-end customer journey.

These regulations could also be viewed as an opportunity for contact centres to make trust a key competitive differentiator while also updating current systems and processes.

Thanks to Stuart Dorman at Sabio

Customers Will Be Able to Delete Personal Data Upon Request

In addition to creating a higher standard for consent, GDPR will give consumers the right to ask companies holding their personal data to delete it.

In anticipation of this law coming into effect, organisations should consider performing an audit, recording what information you hold and where it came from. Implementing tech capable of tracking customer data as it moves through your system will also ensure that the contact centre will be able to delete it upon any future request.

In fact, technology can help play a vital role in complying with the new GDPR requirements. For example, tech that integrates multichannel communication with a CRM platform will help an organisation to manage all the forthcoming implications of GDPR compliance a lot more smoothly.

Thanks to Shawn Scott at NewVoiceMedia

What other changes will these new GDPR regulations bring to the contact centre?

Please share your thoughts in an email to Call Centre Helper.