If your contact center operates in the EU or if you work with EU-based customers, you have probably heard a lot about the GDPR – the General Data Privacy Regulation coming into force on May 25, 2018. Being the most important change in the data privacy regulation in the last 20 years, the GDPR will toughen requirements on how companies deal with personal customer data. Significantly, after the new regulation becomes effective, non-compliant organizations may become at risk of heavy fines.
As opposed to the previous Data Protection Directive 95/46/EC that will be replaced with the GDPR, the new standard is a regulation. The difference between the two is that a regulation is a binding legislative act, which must be applied in its entirety across the EU, while a directive is a legislative act that only sets out a goal that must be achieved by all EU countries, but it is up to individual countries to decide how.
On the one hand, there are many misconceptions and scary myths around GDPR requirements. On the other hand, there is a worrying number of organizations that do not have specific plans for the GDPR compliance.“Gartner predicts that by the end of 2018, more than 50 percent of companies affected by the GDPR will not be in full compliance with its requirements.” Gartner
In this article, we take a look at how GDPR requirements apply to contact centers, what contact centers should specifically do to comply with the new regulation, and how they can turn their compliance with the new regulatory requirements into their advantage.
It is important to understand that the GDPR is an evolution of customer data protection, not a revolution. But even some evolutionary business requirements might quickly become a revolution on the technology side. Most of the software used by organizations must be re-designed to ensure full GDPR support. We have already seen some of US-based cloud systems discontinued after the announcement that they will not support the GDPR due to technology challenges (for example, Salesforce announced it will not support the GDPR for the SalesforceIQ (ex-RelateIQ) CRM system and recommended all the users to switch to Sales Cloud, and later they discontinued the product completely).
Significantly, the GDPR affects not only technology but many other areas of the business.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a new regulation that replaces the Data Protection Directive extending the geography of the law, enhancing individual rights and increasing requirements to organizations that collect and process personal data of EU citizens.
Unlike previous standards, the GDPR applies not only to organizations that are located in Europe but also to companies from other territories. If an organization controls, collect and/or processes data of EU citizens, it is responsible for GDPR compliance, regardless of its physical presence in the European Union.
The GDPR specifies rights of EU citizens: the right to information, the right to data access, the right of rectification, the right to be forgotten, the right to restrict processing, the right of notification, the right to data portability, the right not to be evaluated based on results of automated processing of personal data (ML, AI), the right to bring class actions.
The most significant regulatory changes were made in respect of the following for rights of the subjects: the right of breach notification, which means that data processors will be required to notify their customers without delays on any data breaches, the right to data portability (i.e., the right for individuals to receive the personal data concerning them); the right to data portability, i.e., the right for individuals to receive the personal data concerning them; the right to access information, meaning that individuals will have more freedom in obtaining data on whether or not their personal data are being processed and for what purposes and will have an opportunity to request a free copy of their personal data; the right to be forgotten, which entitles the data subject to have his/her personal data erased and not used for further processing; and the right to be notified on the data breach without undue delays within hours after the organization becomes aware of such an event.
Another important addition is that the GDPR introduces high penalties for organizations that fail to meet its requirements. The fines are theoretically up to 4% of the organization’s global turnover or 20 million EUR, whichever is higher. It is important to note that these rules apply to both controllers and processors.
Data subject rights according to the GDPR
Right to information
It is important to clearly communicate with a data subject (an EU citizen) on Who, What, Why and How will access his/her private information and how long it will be stored.
Right to data access
Individuals have the right to access their personal data. This represents a significant technological challenge for most of the industries, since most systems were not designed to provide customers with access to their data.
Right of rectification
Customers should have the right to correct their personal data, which includes the right to have incomplete personal data completed by adding a supplementary statement, depending on the purpose of processing.
Right to be forgotten
A person has the right not only to correct but also to delete their data. According to the GDPR, a person should be able to request that his/her personal data are erased and no longer processed if such data are not required any more for the purposes for which they were initially collected or processed, if the data subject has withdrawn his or her consent on the processing, or if the processing of the personal data does not comply with the GDPR requirements.
To support this requirement, organizations must do an analysis on where and how customer data are stored. Not every system allows deleting customer data without traces, and this imposes additional challenges on organizations that collect or process private data.
Of course, in cases where the legislation requires organizations to keep data (for example, in case of financial transactions), they should be kept and cannot be deleted, but this must be clearly communicated to the data subject.
Right to restrict processing
A customer has the right to limit purposes of data processing. For example, fhe or she can wish to restrict usage of their data for the purpose of direct marketing or for other similar purposes.
Right of notification
There are two types of notifications associated with the use of personal data. These are policy and statement updates and data breach notifications (see the Breach notification section).
Right to object
Individuals have the right to pull away their consent, and it should be as easy as to give the consent.
E.g.: If a consent was given by ticking the checkbox, you cannot ask a customer to call the data processor and wait 20 minutes to fill out some papers to opt-out the granted consent, it needs to be transparent and it needs to be as easy as to give the consent.
Right to data portability
A customer can request all stored personal information filed in a “commonly used, machine-readable format” like the PDF or the Text format.
Right not to be evaluated based on automated processing
This right allows data subjects to restrict usage of their personal information for machine learning, AI, etc. Moreover, organizations should be transparent in which areas they use the AI and machine learning to process personal information.
Right to bring class actions
Besides large fines, organizations breaking the GDPR can be affected by class action lawsuits. There are already not-for-profit organizations that are trying to take advantage of that right to collectivize individual claims and transform them into class actions.
How does the new GDPR regulation apply to contact centers?
Transparency between contact centers and individuals is the key concept required by the GDPR. This means that any purpose of personal data collection and storage should be clearly communicated to the data subject. Moreover, after collecting the data, it is important that contact center remains open and transparent throughout the process of personal data management. Ideally, there should be an automated gate to provide individuals with access to their personal data, with the option to “be forgotten”.
Data Minimization. Many organizations try to collect all possible data on their customers and reuse these data for marketing and other purposes or even resell it. While it is not prohibited, it must be minimized to be adequate, relevant, and limited to what is necessary for the purpose of collection. Contact center should be ready to provide customers with an explanation on why they request particular personal information.
For example, when a contact center is servicing an Online store, it may ask individuals to provide their names and phone numbers. It might be needless to request additional details, such as an employer’s name or how many children the customer has.
Consent conditions have been strengthened, and companies cannot rely on “long illegible terms and conditions full of legalese”. For a contact center capturing tons of personal data for multiple purposes, it becomes vital to implement special tools that allow notifying their customers on the data capture and enabling them to make informed decisions on the use of their data. The request for a consent must be clear and provided in an intelligible and easily accessible form, using a clear and plain language. It must be as easy to withdraw a consent as it is to give it.Companies cannot rely on “long illegible terms and conditions full of legalese”
Call recording must be justified by one of the following: 1) a customer grants his/her consent to be recorded; 2) recording is done for protection of interests of one of the parties; or 3) recording is required by law. Contact centers must review their recording policies and analyze how they get permissions to be recorded from their customers (via agent scripts, IVR or other tools).
Agent scripts and IVR workflows should be adapted accordingly. If you collect customer data (including voice/camera recording), the customer should grant you his/her consent to record the call and be able to easily request you to delete the recording or provide the recorded file to him/her.
Data storage and processing
Is it necessary to keep all the customer data in Europe?
It is a common misconception to think that in order to comply with the GDPR, you must store customer data in the EU. The GDPR states that as long as the personal data are “adequately protected”, they may be transferred abroad.
The list of adequately protected countries includes the US (which is covered by the US-EU Privacy Shield Framework) and countries like Argentina, Canada, Iceland, Israel, New Zealand, Norway, Switzerland, and others. The whole list of the authorized countires can be found at https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en
Importantly, even if you transfer data to an “adequately protected” country, they should be transparently communicated with the person whose data you are processing.
For any personal data breaches, a contact center should have a response plan that clearly defines how to address the breach, how to notify individuals on it and what actions should be taken to address compromised information.
From the very point when an organization becomes aware of a privacy breach, it should notify authorities and data subjects (customers) within 72 hours.
Many organizations having breaches might stay silent on them for years, but now data protection authorities want to be notified on such accidents as soon as they happen.
Therefore, it is important to get ready beforehand and prepare an internal breach plan.
Data Protection Officer
For large organizations, it is required to appoint a special Data Protection Officer (DPO) and provide this person with appropriate resources to carry out his/her tasks and maintain his/her expert knowledge.
What if my business outsources a contact center?
According to Article 4 of the GDPR, a controller is an entity that determines the purposes, conditions, and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller. This means that even if you outsource your contact center, you are still recognized as a data controller and must ensure that your service providers are 100% GDPR compliant.
Security by design
Data security is one of the key concepts of GDPR and private data encryption and security should not be forgotten with all the organization and technology changes.
Security activities that might be considered as recommended:
- The pseudonymization and encryption of personal data
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing
How to get ready?
Even if you cannot comply with all the requirements from Day 1, you should definitely plan steps to full compliance. Showing an intent to fully comply with the GDPR highly reduces the likelihood of any unpleasant consequences.
Running audit of your processes, policies, and technology is a great starting point, which will ensure quicker adjusting of processes and policies to the new requirements.
Switching to a solution that supports both cloud and in-house installations might be a great alternative for a cost-effective transition.
When done properly, the GDPR compliance can help you build trust with individuals, open new doors for data usage, allow better analysis of information and become a competitive advantage.
Steps to make to be better prepared for the GDPR:
- Check if your contact center is GDPR compliant with our GDPR Check List
- Map GDPR requirements with your organization use cases
- List all personal information you store
- List all your data processing activities (remember that storing and keeping information is also a form of processing)
- Find all locations where customer data are stored (usually they are stored in multiple systems)
- Check if you provide customer data to third parties
- Define the GDPR compliance plan or review/update it if you already have one
- Subscribe to Noda Contact Center to receive updates and other relevant information
The aim of the GDPR is to protect EU citizens from privacy and data breaches in an increasingly data-driven world. Since the operation of contact centers is directly associated with the processing of a great deal of personal data, they are greatly exposed to the risk of such data breaches. The compliance with the new data protection standards allows contact centers to mitigate such risks and take higher responsibility for the protection of their customers, while the role of modern technologies is to make it easy for the companies to comply.
Disclaimer: This article is not legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information and our interpretation of the changes GDPR introduces. This legal information is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy.