Those four initials G.D.P.R. can’t have escaped your attention as various organisations try to convince you that the onset of the EU’s data protection regulation leads to nightmares in the contact centre and elsewhere. It’s time to calm down, follow best practice and focus on essentials. Ken Reid explains …
General Data Protection Regulation– What you should know
Don’t get us wrong, you can’t ignore the subject – every business needs to continuously review and record its data processes across its operation – but as we have conversations we’ve come across a number of myths about GDPR and the contact centre:
“It’s going to have a huge impact”
GDPR is an evolution in data protection, not a revolution and, as the Information Commissioners’ Office (ICO) states: “Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA)…”
Numerous contact centres have also complied for some time with the Privacy and Electronic Communications Regulations (PECR), industry guidance such as Financial Conduct Authority (FCA) rules and the worldwide Payment Card Industry Data Security Standard (PCI DSS), so are in a good position to meet the GDPR’s aims.
“We’re leaving the EU so we don’t have to worry”
If you think that’s true you really do have to worry as that’s a fundamental misunderstanding of the GDPR’s purpose! The regulations are designed to protect citizens’ rights and apply to anyone who is processing personal data about an EU citizen anywhere in the world. After the UK leaves the EU there will be around three million such citizens in the UK. It’s also expected that the GDPR provisions will become UK law. You can’t ignore the changes.
“We won’t be able to outbound call because of GDPR”
We don’t know where this myth originated! Outbound contact centres that follow the PECR and talk to their customers and prospects with permission from that individual can continue to call, text and email.
It’s true to say that the bar is raised on what constitutes ‘permission’ – it needs to be clearer and more explicit – but if you’re following best practice now you’re probably OK with a few tweaks to confirming permission. Updated guidelines are available from the Information Commissioner’s Office with a checklist at:
“We need to change our call recording system”
We’ve heard it a few times: “Call recording systems need to be changed because of GDPR, as you need permission to process personal data”.
It’s true that an identifiable recording is personal data and every contact centre needs to know and document the basis for making the recording. In the GDPR there are six bases for using personal data and as ‘Consent’ is the first on the list it’s easy to assume that’s somehow the best or the only area to focus upon. In reality call recording often takes place in association with a ‘contract’ or is in the ‘legitimate interest’ of protecting both the customer and the contact centre; ‘Contract’ and ‘legitimate interest’ are both lawful bases for processing personal data.
What’s the reality?
Contact centres can’t ignore GDPR but if you’re following today’s rules then completing the work to comply shouldn’t be difficult. Basically it involves:
• Creating the record of the data you’re holding.
• Being able to prove a valid reason why you’re holding it.
• Being able to show how it’s held securely as part of your overall business’s dataflow mapping.
It’s unusual for a contact centre to process data that’s different in nature from other business functions, so most of your required Data Protection Impact Assessments (DPIAs) are likely to be similar to other business systems such as your CRM system.
An area that needs focus for most businesses is confirming that you have appropriate arrangements in place with any technology suppliers to ensure that they support your GDPR processes. Needless to say we do!
Note: we have prepared this note after extensive review of information from many sources. Fresh GDPR guidance is appearing almost daily and we aren’t lawyers so we aren’t qualified to give legal advice.