“Oh, do tell me more about this GDPR thing!“ Said no one. Ever.
And in any event, it’s all over and done now, isn’t it? The old Data Protection Act has been repealed and replaced with the new, 2018 Data Protection Act – which incorporates the GDPR* into British law. Perhaps that means that the confusion and mis-information that’s grown up around GDPR will now stop. Maybe, but I wouldn’t bank on it!
One thing we can be sure of, is that contact centres will be front and centre when it comes to how organisations respond to a new world of personal data protection rights and responsibilities. You are the frontline of your customer experience and if customers want to understand or exercise their data rights it will probably be you they talk to first. And that’s why you should be taking a personal interest in data protection and how it will influence your customers and your ability to interact with them.
Different organisations are at widely varying stages of preparation for the new Data Protection Act. If your organisation is ill-prepared then there is a long list of areas you will need to review in light of the new Data Protection Act. However, from a contact centre and customer experience perspective, here are three key areas for starters:
1. Understanding Your Customer Experience Data Infrastructure
In my experience, the person with the best understanding of where and how prospect, customer and partner personal data flows in and out of an organisation doesn’t work in IT, Finance, Legal or Compliance. It’s the person responsible for customer experience and the contact centre.
They will know about
- the half-forgotten, old marketing activity that still results in a dribble of email contacts each month
- the sporadic data imports from the field or events, and
- the ad hoc spreadsheets that sprung up capture or process data when no-one had thought about the operational implications of a new initiative.
They will probably also have a good understanding of the – typically large and growing – set of 3rd party suppliers and technology solutions that help support multi-channel customer experience
- Cloud telephony and call recordings
- SMS despatch tools
- CRM solutions
- Email and chat providers
- Payment processor and fraud screening
- Knowledge management tools
- Analytics solutions
- Social media sentiment and service tools
- etc, etc
That person may be less clear about whether any of your technology partners or services transfer, save or process personal data outside of the EU or EEA (European Economic Area). If they do (which is highly likely), then you need to be clear about the legal basis on which you are contracting with them to do this. And if you have intra-company transfers of personal data outside of the EEA – and your organisation doesn’t have Binding Corporate Rules (BCRs) in place, which is unlikely as BCRs are tricky and expensive to establish – the same stipulations apply.
Like a lot of aspects of the GDPR, the key consideration here is transparency – let your customers know what you’ll do with their data and why. So before you do that you’ll need to a) know where the personal data is going, b) that you are confident that it will be safely and securely treated.
Whenever personal data transfers outside of the EEA are being carried out you will need to explain this to the data subjects whose personal data is being affected. If you have a good reason for doing this and can be confident that your overseas partner will handle the data appropriately, then there’s no problem.
If not, then you’ll need to take a long hard look at your ‘customer experience infrastructure’.
Life’s a lot simpler if you are transferring and processing data in countries that the EU has ruled to display ‘adequacy’ in terms of personal data protection. However, the current list is rather eclectic and includes a mixed bag of countries: Switzerland, Andorra, Faeroe Islands, Guernsey, Jersey, Isle of Man, Argentina, Canada, Israel, New Zealand and Uruguay. Unfortunately, the USA is only ‘partially adequate’ and you will be reliant on your partner/supplier overseas company to gain Privacy Shield status; it’s not a given.
Finally, if you are a provider of technology services which requires client personal data to be transferred out of the EEA then this is another data protection-related concern you will want to add to a growing list. See our blog from a few months ago: www.channeldoctors.co.uk/blog/29-technology-providers-it-s-time-to-wake-up-to-the-gdpr
2. Trust in your Contracts!
We’ve already established that you will probably have a good grasp of who’s involved in handling and processing your prospects’ and customers’ personal data. The Information Commissioner’s Office (ICO) has made it clear in its guidance (www.ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/contracts/) that whether you’re a data controller or processor you will need clear, explicit contractual terms in place on which to process personal data.
If you haven’t reviewed your contracts yet then start to think about
- who supplies personal data to you
- who do you supply data to, and
- who processes, profiles, handles and enhances that data?
Get a sheet of flipchart paper and start writing a list. Pin it up and ask your colleagues to have a go, too. Keep returning to the list and see how many organisations you manage to list (ideally with a brief description of their role). Every one of these organisations needs to ensure that their contractual roles are clearly defined for new Data Protection Act.
At some stage the ICO will be providing model terms and statement for use in data processing contracts, but I doubt they’ll emerge any time soon. If you’d like some help, but don’t want to incur lots of legal fees, then word has it that the Direct Marketing Association is working on an update of their existing Data Processing Agreement Template, which should be available long before the ICO’s and should be gratefully received by data controllers and data processors alike.
Whether you have just started your preparations for the GDPR and the forthcoming new Data Protection Act or you feel it’s all sorted, you need to ensure your most important stakeholders – your frontline staff – are prepared.
Your customer facing teams mark where your customer experience ambitions are either realised or frustrated. When handling customer contacts they are the face of your organisation. As such they will be the first port of call for customers looking to exercise their new and enhanced rights.
As a bare minimum, you need your frontline colleagues to:
- Recognise a data privacy-related customer request (i.e. a Subject Access Request, a request for the Right to Erasure, or a ‘how do you use my data?’ question)
- Know what to do as a result
- And ideally, their understanding should be based on a confident understanding of your organisation’s approach to handling personal data, customer data journeys and so on
How you choose to train your people is, of course, a question you are best placed to answer.
If you have an established processes of briefing, training and knowledge management then just make sure you’ve booked your ‘slots’ for new or updated data protection training. And if you want to do this from a customer-centric perspective, then why not start with sharing with your colleagues what their new and enhanced rights will be (www.ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/), before getting into the process detail of what they should do in their ‘day job’ as employees. Especially because the volume and frequency of personal data-related contacts and requests will be so hard to predict, an effective knowledgebase will really help your people get access to the information they need, when they need it.
Conversely, if you never train your staff (and I’m sure that doesn’t apply to any CCMA members, but there really are plenty of organisations out there that never do!) then a day’s class room immersion into the minutiae of EU and UK data privacy regulations either isn’t likely to help your colleagues or staff very much – or lead to lots of unintended consequences…
We’ve just touched on three areas that a customer focus is likely to lead you to look at when getting prepared for the new Data Protection Act. There are plenty of others, of course, but bear in mind some key points:
- Great customer experience is often based on openness and transparency with customers – so is data protection
- You might not get all the answers (or be able to deploy the ideal data management technical solutions) straightaway, but the ICO is going to look for evidence that you engaged with the challenge first of all
- There is lots of free guidance and information available from various sources – but start with the ICO itself (ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/ and www.ico.org.uk/for-organisations/resources-and-support/your-data-matters/) and the DMA (www.dma.org.uk/gdpr)
*that’s the General Data Protection Regulation, a mandatory EU-wide overhaul of the treatment of personal data for consumers (‘data subjects’ in GDPR lingo) anywhere in the EU. But you knew that anyway.
About the author
Channel Doctors’ founder, Steve Sullivan, has 20 years’ experience of solution design and delivery in customer experience and contact centres. This has included working with a variety of brands such as American Express, Ageas, Abel & Cole, Land Rover, Marks & Spencer, The Guardian and Burberry. As Deputy Chair of the UK Direct Marketing Association‘s Contact Centre Council and lead for its Regulation Hub, Steve has developed a detailed, pragmatic understanding of current and future data protection regulation in the customer management space. This has been further enhanced through membership of the Direct Marketing Association’s GDPR Taskforce. Steve is a Fellow of the Institute of Direct & Digital Marketing and is currently developing course content for its Certificate in GDPR and ePrivacy. You can contact Steve at firstname.lastname@example.org.