On the 25 May 2018, the General Data Protection Regulation (GDPR) will completely change how organisations working within the EU can collect and hold data. The new, much stricter rules will increase data privacy for individuals while providing regulatory authorities with the power to heavily fine businesses that don’t comply. With the GDPR clock well and truly counting down, here are 10 steps every contact centre needs to take now.
A recent study found that one in four businesses have stopped preparing for GDPR because of Brexit. As the data protection authority in the UK, The Information Commissioner’s Office (ICO) has confirmed GDPR will be applicable to all companies regardless of Brexit. With the maximum fine for non-compliance set at 4% of global turnover or €20 million, this is one common misconception that could cost you a lot of money.
The new rules will apply to every business that processes information within the EU, plus organisations from outside the EU that offer goods or services to European citizens. This means GDPR will require businesses to take a fresh approach to how they acquire, manage and retain personal data. Now is the time to make sure that everyone in your contact centre knows how the GDPR reforms will affect them and the serious consequences non-compliance could create.
GDPR will create a higher standard of consent by ensuring consumers have more choice over whether to provide personal data. Using customer data under GDPR requires clear consent, which means the guidelines for using marketing data is moving to a system that is broadly ‘opt-out’ to one that is largely ‘opt-in’. This means you will need to review how you are seeking, obtaining and recording consent, and whether you need to make any changes. At the same time, using third-party data lists to contact cold prospects is likely to become more difficult post-GDPR.
In addition to creating a higher standard for consent, GDPR will give consumers the right to ask companies holding their personal data to delete it upon request. In anticipation of this law coming into effect, you should consider performing an audit, recording what information you hold and where it came from. Implementing tech capable of tracking customer data as it moves through your system will also ensure that you will be able to delete it upon any future request.
One of the main goals of GDPR is to reduce the amount of customer data that companies collect by default. From securing consent for sending marketing emails to cold calling, GDPR emphasises building privacy protections into products, processes and services. As a result, all your contact centre’s data-driven strategies should include plans for privacy and data protection from the outset, rather than something that is added afterwards.
Under specific conditions outlined by the IPO, you might need to appoint a Data Protection Officer (DPO). Part of a DPO’s job requires them to inform and advise employees across every department, making sure they comply with GDPR and other data protection laws. You can employ a DPO from within your business, but they need to have suitable experience and must not have other duties that could cause a conflict of interest with the role.
Taking a privacy by design approach will help minimise the risk of security breaches within your contact centre while supporting the protection of personal data. However, according to the ICO, GDPR will increase the obligation on organisations to report data breaches to the appropriate supervisory authorities and, possibly, the individual or individuals affected. As a result, making sure you have suitable measures in place to detect, report and investigate a personal data breach is crucial.
If your contact centre is working on behalf of another business, it’s likely that you will assume at least some of the responsibility for securing their customers’ data. If a client makes a claim against you for failing to protect data, you could be held accountable and liable to pay a portion of a heavy fine. For this reason, if you haven’t already, you should consider updating your liability insurance policy, ideally with a company that specialises in cyber risk.
Technology can help play a vital role in complying with the new GDPR requirements. That’s why the time between now and the new laws coming into effect provides a great opportunity to update your contact centre solution. For example, tech that integrates multichannel communication with a CRM platform that will help you manage all the forthcoming implications of GDPR compliance a lot smoother.