The impact of GDPR on the UK’s contact centres

This week’s Queen’s Speech has confirmed that data protection policies will remain high on the Government’s agenda and will continue to be a key priority for UK businesses in the months and years to come.  Centre stage of these policies will be the new general data protection regulation (GDPR), due to come into force in May 2018.

As it stands there is still quite a lot of confusion as to whether, post-Brexit, GDPR will apply in the UK.  Recent research by Crown Records Management found that 44% of UK businesses do not believe the general data protection regulation (GDPR) will apply after the UK leaves the EU.  The simple fact is that the government has made it clear that GDPR will be the law in the UK both before and after Brexit.

All business will be impacted by GDPR.  Take the humble contact centre.  Currently, there are more than 6,200 contact centres in the UK, and more than 4% of the country’s working population are employed at contact centres, with that number increasing annually.

The new, stricter set of rules around how data is captured and stored will place much tighter regulations around call recording and archiving, as well as the efficacy of the platforms used to achieve compliance.  Most businesses either directly operate a contact centre, or outsource contact centre requirements to a third party.  Businesses will need to be thinking about the regulatory impact on every contact centre touch point, from customer services and technical support to sales and marketing.

Defining legislation

The key impact for contact centres is the GDPR definition of personal information.  Whereas previously data protection requirements have been narrowly defined, GDPR covers any data that can be used to identify a person – either on its own or in combination with other data.

Under GDPR, all personal data is protected.  Businesses will need to think about how they store and recall their customer data.  Individuals will have the right to make reasonable requests to access their personal data without incurring costs.  Businesses will be obliged to share any personal data held within the contact centre, without delay and within one month.  Customers will also be able to request a copy of their data in a structured, digital and commonly used format from the controller.  Contact centres must question whether they have the correct infrastructure to process these requests.  How will they check the status of any such requests?

The GDPR suggests that self-service is a best practice approach to providing this.  Customers should be able to access their personal information directly and edit what is stored if they wish.  Many businesses will need to question their current capabilities, and in many cases upgrade their systems.  They will need a platform that archives data in a cohesive, organised manner and enables instant recall.

More importantly still, individuals will have the right to have all of their personal data erased.  Known as the ‘right to erasure’, organisations have to comply without undue delay if the customer makes a request.  Businesses will need to think about how and where their call recordings are stored, ensuring it is identifiable, accessible and if necessary erasable.  This will apply to any recording or record that includes a customer’s personal information.

Will it be fine?

One of the most discussed aspects of GDPR is its explicit mentioning of fines. Whereas the Data Protection Directive simply stated sanctions had to be defined by the Member States, GDPR exactly details what administrative fines can be incurred for violations.  The maximum fines depend on what ‘category’ the violation occurs in: for less serious violations, the maximum is € 10 million or 2% of total annual worldwide turnover of the preceding year (whichever is higher); for more serious violations this goes up to € 20 million or 4%.

Under existing data protection rules, the Information Commissioners Office (ICO) can fine organisations up to £500,000 for the most serious data breaches.  As such, it was possible to consider these as a cost of doing business.  GDPR raises the stakes to a whole new level.  Businesses outsourcing contact centre operations will remain responsible for their customer data.  They will need to question the capability of third parties and the platforms they are using.  What are the risk assessment considerations of outsourcing operations when the new legislation comes into force?

Securing your contact centre data

The new legal framework aims to address an urgent issue that currently threatens to undermine the digital economy.  More than 4.8 billion data records have been exposed since 2013, with identity theft being the leading type of data breach accounting for 64% of all data breaches.  Unlike previous generations of data legislation, the consequences of being part of the problem can no longer be counted as the cost of doing business.  The mismanagement of customer data will matter considerably, both to the bottom line and to reputation.

Organisations need to ensure the call recording and archive platforms they choose have all of the tools at their disposal to help meet ever aspect of GDPR requirements.  While these requirements are many, one important example can be found in the ‘integrity and confidentiality’ clause of Article 5.  It states that data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Businesses should look for platforms that store and transmit customer personal data on infrastructure that is compliant with international security standards, such as ISO27001 (information security management systems), BS10008 (evidential weight and legal admissibility of electronic information) and Payment Card Industry Data Security Standards (PCI DSS).  Multiple controls will be needed to achieve this standard, including: encryption of data in transit and at rest; database segregation; firewalls and network segmentation; intrusion detection and prevention systems; privilege access control; logging and auditing of changes; regular malware and vulnerability testing and backup and restore testing of critical data and system configurations.

A positive outlook

GDPR will change the way organisations and their customers engage, and its impact will undoubtedly improve standards around privacy and data protection.  Technology will play a vital role in the governance and management of the new requirements, and much of what is currently used in contact centres will need to be upgraded to become GDPR compliant.

How GDPR will actually work in practice still remains unknown.  The way in businesses decide to craft their GDPR strategy will be key in the success of the legislation.  With less than 12 months to go, however, organisations need to be preparing now.

By Matthew Bryars, CEO, Aeriandi

 

Photo Credit: www.jisc.ac.uk


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/