The General Data Protection Regulation (GDPR) went into effect on May 25th, 2018. While it was passed by the European Union (EU) to protect its citizens, its reach has extended well beyond European borders to anywhere that personal data is being collected and processed. This includes businesses and contact centers in the United States.

Readiness should continue to be the central concern for those stateside. When it comes to GDPR readiness, Timothy Blank, head of data privacy and cybersecurity practices at the Boston office of Dechert, LLP, tells Reuters that on a scale of zero to one hundred, there are quite a few and mostly smaller firms that are at zero, whereas most of the largest firms with international operations are somewhere between 90 and 95, and no one is at 100.

Businesses will need to continue to make changes in how their contact centers handle customer data after May 2018, when the regulations have taken effect. Understanding what the GDPR is and the impact it will have on contact center operations well into the future is crucial to preparedness.

What is the GDPR?

The GDPR was designed to protect the privacy of EU residents, granting them more control over their own personal data. The legislation affirms that the ownership of personal data remains with the individual, not with the data controllers or processors. The GDPR also asserts that residents have the right to be forgotten while setting strict new rules on how businesses control and process personally identifiable information.

The regulations include enhanced requirements regarding consent that allow citizens to exercise their right to be forgotten, that is, removed from company databases. Obtaining consent to process personal information seems straightforward, however, these rules state that this consent must be specific and granular. This means that the consent records themselves must make perfectly clear which processing the consumer accepts and which processing the consumer prohibits. A consumer may sign up for a new service but prohibit the service from any further use of his data. The contact information submitted at signup does not opt him into marketing emails. That consent must be given separately.

Article 4 of the GDPR defines a personal data breach as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. Businesses must determine very quickly whether or not a breach can cause risk to the rights and freedoms of their EU consumers. Any large exposure of sensitive data (such as medical or financial information) requires notification to an EU regulator within 72 hours. Data subjects must be notified of any high-risk breaches that compromise fundamental property and privacy rights (such as credit card numbers or account passwords). According to gdpr-info.eu, GDPR breaches can result in fines of up to 4% of annual global turnover or 20 million Euro (whichever is greater).

Does the GDPR affect companies in the U.S.?

If your organization operates in the EU, or if it collects personal or behavioral information of anyone in the EU, you are bound by the GDPR. Note two things here: the geographical component and the fact that GDPR protections don’t only apply to financial transactions. Let’s say you send out a marketing survey to consumers. If you receive responses from anyone in the EU, that information would need to be protected under the GDPR. However, protections would not extend to any responses submitted by any respondents outside of the EU, even if those respondents are European residents.

What does this mean for the contact center industry?

Contact centers will have to audit everything from agent monitoring to self-service applications to ensure compliance with the wide-sweeping regulations. Here are some key ways in which the GDPR could affect the contact center industry:

Consumer access to personal data

Consumers are more aware of how their data is being used than ever before, and they have expectations of how it should be handled. A report, Whose Data Is It Anyway?, by the Chartered Institute of Marketing (CIM) revealed that 57% of consumers do not trust an organization to use their data responsibly. Given consumer mistrust, the GDPR rules governing privacy, visibility, and access to data restrictions have created an opportunity for businesses to differentiate themselves through customer trust via better data processes. Transparency in how data is being used and making it easy for customers to access and edit their personal information can go a long way towards building this trust. A self-service portal that allows consumers to execute their own data requests could give customers the freedom they desire while helping contact centers mitigate a possible inundation of data inquiries.

Data processes

The GDPR has strict requirements for the protection of personally identifiable information (PII) as its collected, transferred, and processed. Every customer has the right to access their PII in a commonly used format and have it erased immediately without cost to them. To ensure compliance, every business should consider solutions that can track data all over the customer journey — from its creation to its destruction. This way, if a customer requests that her data be deleted, it is a request that is easy to fulfill in real-time. This type of tracking can also facilitate proactive data practices on behalf of the consumer: Collected data can be evaluated then erased if it is irrelevant a sign of good faith to the consumer.

Other established compliances here in the U.S., like HIPAA and PCI DSS, provide a framework for comparison against the GDPR. Businesses that already meet these compliances may have a good head start in operations, security, auditing, and reporting technologies they’ve deployed. In some cases, what’s already in place for HIPAA and PCI DSS may be extended to include GDPR-governed data.

Personnel

Many contact centers have organized teams to implement and monitor GDPR-friendly technologies and policies. These teams include advisors and supervisors that are trained in GDPR compliance. Consumer privacy will continue to be a business priority, so expect the job descriptions of these personnel to change to include ongoing inspection of contact center compliance.

Compliance may also require changes to agent training and duties. For example, agents might be trained in the basics of the GDPR. Agent scripts may change to include granular privacy questions like, May we keep a recording of this call for quality assurance purposes? or May we use this phone number to contact you about new products and services? Monitoring technologies will be a vital part of the technology stack, so supervisors can confirm that agents are asking for the customer’s consent and recording withdrawal of that consent in accordance with their training. It can also identify which agents need additional coaching in GDPR compliance.

Outsourced contact centers are also a concern for many businesses because it is the data controller that maintains responsibility for GDPR compliance, not the solutions provider. If an outsourced contact center commits a GDPR violation, the penalty will fall on the contracting business, because it controls the PII. Organizations should consider auditing their service providers to make sure all technologies linked to the contact center and all their operations are GDPR-compliant.

Customer interactions

The GDPR will not only change the way contact centers operate behind the scenes but also how they interact with customers. With consumer consent and privacy as new priorities, businesses are being forced to access personal information through other means i.e., more meaningful customer engagements. These agent-customer interactions are balancing compliance and relationship, trying to increase net promoter scores and trust as a roundabout way to obtain consent to data usage.

One of the biggest changes the GDPR has brung to customer interactions is that businesses will have to justify call recordings. The commonplace message that your call is being recorded for training or quality purposes is no longer enough. Consumers will have to consent to the call being recorded. An IVR prompt to opt-in or out of call recording is a viable option for many contact centers. Recording policies and agent training may also need to be updated to better define the need for call recording and obtaining consent from the individual.

This has and will continue to create some service obstacles for contact centers. For example, the initial moments of contact have become more complicated than in the past, when an automatic message notified the caller but did not seek permission. Also, consider that call quality may not be as high as we see customers deny requests for call recording. Again, contact centers must walk a fine line between compliance and relationship. Workarounds like more real-time agent monitoring have to be put in place to keep agents accountable, so customer satisfaction doesn’t slip in the absence of call recordings.

Is your contact center ready?

In a world where data has become currency, the GDPR has introduced enormous change into how we do business. Its impact on American contact centers has been significant, permanently changing the way they collect, store and use customer data. Ultimately, the legislation should be viewed as an opportunity for businesses all over the world to build customer trust by taking an advocate role in their consumer’s rights to privacy and security.

This article was originally written on March 26, 2018 and has been updated with current information.

Aceyus Team

Aceyus Team

Related Posts

Blog News

Five9 to Acquire Aceyus

Five9 to Acquire Aceyus extending the Five9 platform to streamline the migration of large enterprise customers …

;