How GDPR May Affect Customer Services
Complying with GDPR may be a concern, but good preparation can make all the difference. Here, we explore how your customer service team might be affected.
As you’ve probably heard, as of May 2018 all companies who handle personally identifiable data about EU and UK citizens will need to comply with a data protection law called GDPR. It’s causing a great deal of concern to a lot of businesses, but if you approach it with knowledge and planning, it needn’t be such a worry.
Join us as we explore the new rights and rules that are laid out under GDPR, and the ways that your customer support teams may be affected.
GDPR: The Basics
The “General Data Protection Regulation” or GDPR is a new EU-wide data protection law that standardises and updates the data protection rights of individuals across all EU member states (including the UK post-Brexit, reference the recent “Data Protection Bill”). It implements several rules that give ultimate control over personal data back to the people that data refers to.
All companies that hold personally identifiable data about EU and UK citizens will need to be totally compliant by the 25th May 2018, otherwise they may face a fine of up to €20m or 4% of the company’s annual turnover from the preceding year (whichever is greater).
Though we have tried to be as accurate as possible in this article, it summarises some very detailed legislation. We would highly recommend you read the ISO’s guidance on GDPR to cover some of the finer points.
First Steps – A Full Data Audit
Because GDPR deals with identifiable data, carrying out a full audit of how data enters, flows around, and leaves your organisation is a valuable place to start. Take stock of the ways that you handle, store, recall, and process the data belonging to private individuals; what do you do with that data? What permission do you have from each individual to process that data? Does any information get shared with third parties? Are there any weak spots in your practices that might result in data loss or unauthorised access?
Take a top-down, inclusive look at all interactions your company has with individuals’ personal data, how it flows around various departments, how your customer-facing teams access that information, and what permissions they have with that data.
Willing Consent & The Right to be Informed
Consent is a concept that underpins the whole GDPR ruling. If a company wants to use a person’s identifiable data, the company will need to seek clear and knowing consent from the consumer. Companies will also need to be prepared to answer questions from consumers about how their data is used and publish their privacy policies in clear language so as to be easily understood. It also permits people to retract consent they may have previously given.
How this affects Customer Services: It is paramount that all team members (not just customer-facing ones) understand GDPR, and the core concepts that underpin it – not least that of consent. Additionally, it could be quite likely that your customer service operatives will be the ones fielding calls asking what data is held, what you do with it, and why you have it. Train your team how to handle these queries without ambiguity. If someone wishes to retract their consent from a given activity, your customer operatives may have to fulfil that request – make sure they receive training about compliance with individuals’ wishes under GDPR.
Rights of Access, Rectification, Erasure, and Portability
Under the right of access, citizens can request a digital copy of all data you hold about them in a commonly used electronic format, delivered within one month of the request. The right to rectification states that if a company holds incorrect or incomplete data about an individual, that person has a right to have it corrected within one month. Under the right to erasure, a company must comply with any request to delete a person’s identifiable data unless they have a lawful basis to refuse that request. Under the new right to portability, consumers have the right to request that their data be passed between two organisations without hassle (for example when they are moving to a new service provider).
How this affects Customer Services: The systems and storage media that your teams use should all allow for the amendment, deletion, and portability of data with no complications or security concerns. In order to fulfil access and portability requests, you’ll need to make sure your systems allow for data to be exported quickly, easily, and in a common format. As well as changes to your systems, your staff must be brought up to speed with how to use your systems in order to comply with these requests.
The Right to Restrict Processing
Citizens will be able to object to a company processing their data in ways that they object to. This may include sending the individual marketing materials or sharing their details with third parties. You are allowed to keep just enough of the person’s data to make sure their wishes are met.
How this affects Customer Services: Though this rule sounds simple, there are a few important circumstances to be aware of over on the ICO’s website. In order to act on restriction requests, your systems will have to allow for individuals’ data to be ringfenced in order to cease further processing, and your teams will have to be trained on how to carry out these requests in compliance with the law.
The Right to Object
Citizens will have the right to object to uses of their data for direct marketing, profiling based on any legitimate interest, or for statistical analysis should they have legitimate “grounds relating to their particular situation”.
How this affects Customer Services: Your customer-facing teams will have to be aware that people can object to certain uses of their data, not least to direct marketing practices. If your customer service operatives have control of or access to your direct marketing lists, they must be aware that consent for direct marketing needs to be given freely and auditably.
Rights Relating to Automatic Profiling and Decision Making
If you rely on automatic profiling systems to make decisions about customers (such as automated credit scores), this is an important one. This gives consumers the right to appeal any potentially damaging decision made without human intervention, and plead their case to a human decision maker.
How this affects Customer Services: If your customer relations teams rely on automated decision-making tools, then you will need to make allowances for this new right. Individuals must have the ability to challenge any automatically generated decision with a human decision-maker. There are a few exceptions and rules surrounding automated profiling, you can check those out here.
Dealing with Data Breaches & Leaks
All organisations will be duty bound to report certain data breaches to their relevant supervisory body, and in some cases also to the individuals affected. This refers to any breach of security that could result in unauthorised loss, access to, or disclosure of individuals’ personal information.
How this affects Customer Services: At the very least, your customer service operatives should know what constitutes a data breach, the rules surrounding data security, and how to notify management of any breach concerns. Measures should be put into place in order to deal with data breaches; it might be a good idea to create an action plan for when data breaches happen, and to carry out “practice runs” of this plan so everyone is prepared.
Accountability and Data Protection Officers
Under GDPR, all companies are expected to govern their data protection measures carefully. You must train your staff and implement technical measures to make sure that your whole company is compliant with the new ruling. Under certain circumstances, you might also need to appoint a Data Protection Officer (DPO).
Though this last element may not affect customer services directly, it highlights the importance that GDPR is something that the whole company needs to work together on. Though we don’t want to make GDPR sound scary, the truth is that it only takes one weak link in the chain to undo a whole company’s good work. Your systems need to ensure compliance by design, and all of your staff, in all departments, and all levels of management, need to be made aware of the new rules.
Overview of the GDPR from the Information Commissioner’s Office (ICO)
GDPR: 12 Steps to Take Now from the ICO
Getting Ready for the GDPR Checklist from the ICO
Previous FIVE CRM blog posts about GDPR:
DISCLAIMER: This blog post is provided only as a guide to GDPR legislation and should not be considered legal advice. Quality Systems Solutions Ltd advise you to seek your own appropriate legal counsel.