The impact of the GDPR on contact centre operations
- Published: Wednesday, 17 May 2017 08:24
By Matthew Bryars
Many UK businesses do not believe the General Data Protection Regulation (GDPR) will have an impact after the UK leaves the EU. They are wrong! It will, and even businesses that are preparing may not have considered the full extent of the new legislation in every area of their business.
Take the contact centre. The new, stricter set of rules around how data is captured and stored will place much tighter regulations around call recording and archiving. Most businesses either directly operate a contact centre, or outsource contact centre requirements to a third party. Businesses will need to be thinking about the regulatory impact on every contact centre touch point, from customer services and technical support to sales and marketing.
The GDPR is a legal framework for handling personal data of individuals based in the EU, wherever in the world their data ends up being held or used. Wherever an organization holds personal data, it will need to step up efforts to ensure that data is responsibly and securely managed in line with GDPR requirements. The legislation also addresses the broader issue of containing the ever-growing tide of online criminal activity. The data management practices of the new framework will become a crucial deterrent against cyber crime.
The key impact for contact centres is the GDPR definition of personal information. Whereas, previously, data protection requirements have been narrowly defined, GDPR covers any data that can be used to identify a person: either on its own or in combination with other data.
Take payment information for example. Under current rules, it is a violation of the Payment Card Industry Data Security Standard (PCI DSS) requirement for any merchant to store sensitive payment authentication data after authorisation, even if encrypted. Additionally, Financial Conduct Authority (FCA) regulations demand that financial institutes keep sufficient detail of all their transactions, often for many years after a transaction takes place.
To comply with these requirements, many businesses deploy secure telephone payment platforms in their customer contact centres. This means that companies governed by the FCA can maintain accurate transaction records whilst ensuring that no sensitive payment data is captured as part of those calls. At the point of a payment, customers are re-routed through the secure payment platform, keying in their payment information via the telephone keypad where it is processed directly with the bank. If the information never enters the call centre, PCI compliance is achieved, while the merchant has the complete call recording required to meet FCA requirements.
Under GDPR, all personal data is protected. While keeping payment information out of the call centre is possible, keeping all personal data out of the contact centre is not. Instead, businesses will need to think about how they store and recall the data. Individuals will have the right to make reasonable requests to access their personal data, and this time it will be without cost. Businesses will be obliged to share any personal data held within the contact centre, without delay and within one month.
Individuals will also be able to request a copy of their data in a structured, digital and commonly used format from the controller. Contact centres must question whether they have the correct infrastructure to process these requests. How will they check the status of any such requests?
The GDPR suggests that self-service is a best practice approach to providing this. Customers should be able to access their personal information directly and edit what is stored if they wish. Many businesses will need to question their current capabilities and, in many cases, upgrade their systems. They will need a platform that archives data in a cohesive, organized manner and enables instant recall.
More importantly still, individuals will have the right to have all of their personal data erased. Known as the ‘right to erasure’, organizations have to comply without undue delay if the customer makes a request. Businesses will need to think about how and where their call recordings are stored, ensuring they can identify, access and, if necessary, delete any recording or record that includes a customer’s personal information.
Why the GDPR matters now
Under existing data protection rules, the UK Information Commissioners Office (ICO) can fine organizations up to £500,000 for the most serious data breaches. As such, it is possible to consider these as a cost of doing business. GDPR raises the stakes to a whole new level.
The maximum fine will be 4 percent of a group's global sales or 20 million Euros: whichever is higher. Even if a subsidiary is found in breach of the GDPR, it is the whole group that is fined and the whole group's worldwide sales that are used to calculate the 4 percent penalty. Businesses outsourcing contact centre operations will also remain responsible for their customer data. They will need to question the capability of third parties and consider the risk assessment of outsourcing operations when the new legislation comes into force.
The new legal framework aims to address an urgent issue that currently threatens to undermine the digital economy. More than 4.8 billion data records have been exposed since 2013, with identity theft being the leading type of data breach; accounting for 64 percent of all data breaches. Unlike previous generations of data legislation, the consequences of being part of the problem can no longer be counted as the cost of doing business. The mismanagement of customer data will matter considerably, both to the bottom line and to reputation.
GDPR will change the way organizations and their customers engage, and its impact will undoubtedly improve standards around privacy and data protection. Technology will play a vital role in the governance and management of the new requirements, and much of what is currently used in contact centres will need to be upgraded to become GDPR compliant. How GDPR will actually work in practice still remains unknown. The way in businesses decide to craft their GDPR strategy will be key in the success of the legislation. With less than 12 months to go, however, organizations need to be preparing now.
Matthew Bryars is CEO of Aeriandi.