The majority of us are unaware of how much of our personal data is now collected and used. Traditionally, it was collected directly from us, for example when we filled in a form, and given with complete knowledge and explicit permission. Increasingly, organisations use data that has not been consciously provided by us.
Our personal data might be observed in our online activity or derived from combining other data sets. It can be inferred by using algorithms to analyse a variety of data together – social media, location data and records of purchases – to profile us in terms of our credit risk, state of health or suitability for a job.
Rebalancing the privacy scales
The General Data Protection Regulation (GDPR) is a timely and much needed piece of legislation. The modern world is evolving rapidly and is vastly different from the one the first data protection legislation was developed for during the 1980s. Rapid consumer and business adoption of new digital behaviours means we need a balance between an expectation of real-time personalised engagement and protection of sensitive, private data.
While in the best cases, these techniques can be used to deliver shared value to both organisation and customer, the GDPR aims to rebalance matters. It sets new standards around transparency and empowers individuals with greater control and conscious choices in how they can manage their personal data.
For training, quality and GDPR purposes
Many businesses either run or outsource contact centre operations, whether for sales, technical support or customer services. Many of these calls are recorded ‘for training and quality purposes’. GDPR will place tighter regulations on how these calls are managed and with fines as high as €20 million, or up to 4% of global turnover, the risks associated with lack of compliance are significant.
The right to erasure for example, will mean businesses will need to think about how and where their call recordings are stored. Customers will have the right to request access to any personal data stored by the company – even if this is in the form of a voice recording. Businesses will need to ensure they can identify, access and if necessary delete any recording that includes a customer’s personal information.
All about the data
The key impact of GDPR in this case is the definition of personal information. Take payment information for example. Under current rules, it is a violation of the Payment Card Industry Data Security Standard (PCI DSS) requirement for any merchant to store sensitive payment authentication data after authorisation, even if encrypted. Additionally, Financial Conduct Authority (FCA) regulations demand that financial institutes keep sufficient detail of all their transactions, often for many years after a transaction takes place.
To comply with these requirements, many businesses deploy secure telephone payment platforms in their customer contact centres. This means companies governed by the FCA can maintain accurate transaction records whilst ensuring no sensitive payment data is captured as part of those calls. At the point of a payment, customers are re-routed through the secure payment platform, keying in their payment information via the telephone keypad where it is processed directly with the bank. If the information never enters the call centre, PCI compliance is achieved, while the merchant has the complete call recording required to meet FCA requirements.
Defining personal data
The GDPR will apply to any other personally identifiable information stored on a call recording, including name, address, date of birth, even phone numbers and IP addresses. Businesses will need the capability to recall any of this information on request, and completely remove it if required by the customer. When individuals make reasonable requests to access their personal data, information must be provided without delay and at the latest within one month.
The GDPR suggests that self -service is a best practice approach to providing this. Customers should be able to access their personal information directly and edit what is stored if they wish. Many businesses will need to question their current capabilities. Can your contact centre use whatever self-service capability it has to enable this? Do you need to upgrade your systems?
Engagement is a two-way street
GDPR will change the way companies engage with their customers. Its impact will be to improve the standards around privacy and data protection. Those that succeed can expect greater trust from their customers and a willingness to share more about themselves as a result. However, before that can happen, standards have to improve.
Customers will also engage with contact centres around many of the rights that the GDPR defines. The role played by the contact centre in meeting those requirements will have to be part of a co-ordinated organisation wide response. The ability to track and care for customer privacy and personal data across their lifecycle provides yet another reason why marketing, sales and service teams should be moving towards deeper collaboration.
Getting on top of this needs a fully thought through plan including a change of mindset, an upgrade of skills, new policies, workflows and roles. Technology has a vital role to play in the governance and management of these requirements.
How GDPR will actually work in practice is still unclear. For many companies though, what is clear is that much of what is currently happening in contact centres will need to be assessed for GDPR compliance.
By Matthew Bryars, CEO, Aeriand.
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/