10 Steps Contact Centres Should Take to Prepare for GDPR
On the 25 May 2018, the General Data Protection Regulation (GDPR) will completely change how organisations working within the EU can collect and hold data. The new, much stricter rules will increase data privacy for individuals while providing regulatory authorities with the power to heavily fine businesses that don’t comply. With the GDPR clock well and truly counting down, here are 10 steps every contact centre needs to take now.
1. Don’t wait for Brexit to save you
A recent study found that one in four businesses have stopped preparing for GDPR because of Brexit. As the data protection authority in the UK, The Information Commissioner's Office (ICO) has confirmed GDPR will be applicable to all companies regardless of Brexit. With the maximum fine for non-compliance set at 4% of global turnover or €20 million, this is one common misconception that could cost you a lot of money.
2. Make all your agents aware
The new rules will apply to every business that processes information within the EU, plus organisations from outside the EU that offer goods or services to European citizens. This means GDPR will require businesses to take a fresh approach to how they acquire, manage and retain personal data. Now is the time to make sure that everyone in your contact centre knows how the GDPR reforms will affect them and the serious consequences non-compliance could create.
3. Develop a clear privacy policy
Once GDPR comes into effect, companies must clearly communicate to customers why their data is being collected and for what purpose. If your contact centre collects data or records calls from customers or prospects, you will need to write a clear and easy to understand privacy policy. In doing so, you should clearly communicate to customers why their data is being requested for collection and how you intend to use it in any future activities.
4. Get ready for a higher standard for consent
GDPR will create a higher standard of consent by ensuring consumers have more choice over whether to provide personal data. Using customer data under GDPR requires clear consent, which means the guidelines for using marketing data is moving to a system that is broadly ‘opt-out’ to one that is largely ‘opt-in’. This means you will need to review how you are seeking, obtaining and recording consent, and whether you need to make any changes. At the same time, using third party data lists to contact cold prospects is likely to become more difficult post-GDPR.
5. Prepare for the right to be forgotten
In addition to creating a higher standard for consent, GDPR will give consumers the right to ask companies holding their personal data to delete it upon request. In anticipation of this law coming into effect, you should consider performing an audit, recording what information you hold and where it came from. Implementing tech capable of tracking customer data as it moves through your system will also ensure that you will be able to delete it upon any future request.
6. Adopt privacy by design
One of the main goals of GDPR is to reduce the amount of customer data that companies collect by default. From securing consent for sending marketing emails to cold calling, GDPR emphasises building privacy protections into products, processes and services. As a result, all your contact centre’s data-driven strategies should include plans for privacy and data protection from the outset, rather than something that is added afterwards.
7. Remind all decision makers that GDPR applies to everyone
Under specific conditions outlined by the IPO, you might need to appoint a Data Protection Officer (DPO). Part of a DPO’s job requires them to inform and advise employees across every department, making sure they comply with GDPR and other data protection laws. You can employ a DPO from within your business, but they need to have suitable experience and must not have other duties that could cause a conflict of interest with the role.
8. Ensure you have the right procedure to report data breaches
Taking a privacy by design approach will help minimise the risk of security breaches within your contact centre while supporting the protection of personal data. However, according to the ICO, GDPR will increase the obligation on organisations to report data breaches to the appropriate supervisory authorities and, possibly, the individual or individuals affected. As a result, making sure you have suitable measures in place to detect, report and investigate a personal data breach is crucial.
9. Double check your insurance coverage
If your contact centre is working on behalf of another business, it’s likely that you will assume at least some of the responsibility for securing their customers’ data. If a client makes a claim against you for failing to protect data, you could be held accountable and liable to pay a portion of a heavy fine. For this reason, if you haven’t already, you should consider updating your liability insurance policy, ideally with a company that specialises in cyber risk.
10. Bring your contact centre’s tech up to speed with GDPR
Technology can help play a vital role in complying with the new GDPR requirements. That’s why the time between now and the new laws coming into effect provides a great opportunity to update your contact centre solution. For example, tech that integrates multichannel communication with a CRM platform that will help you manage all the forthcoming implications of GDPR compliance a lot smoother.
Data security is a key element of NewVoiceMedia’s approach. We’re constantly working to improve the robustness of our service, and are ISO27001 certified with Level 1 PCI DSS compliance.
Learn more about our security features or contact us to find out how we can help make your contact centre GDPR compliant.
