How can you make your Contact Centre GDPR-proof? 2.0
In an earlier article, we mainly focused on the history of the GDPR and the basic rights it sets out. We also addressed the various roles of a Contact Centre in this context (Data Owner, Data Processor, Data Controller).
We now want to explore in more detail a number of limitations regarding personal data management that Contact Centres must comply with. To discuss the limitations, we will define the topic, in particular personal data.
What are the limitations?
Limited purpose – Question: Why?
- Collected for specified, explicit and legitimate purposes
- Data may only be used in accordance with these purposes
Limited quantity – Question: What?
- Adequate and relevant
- The data collected must be limited to the purposes described
Limited retention period – Question: How long?
- Personal data must be stored in a recognisable format
- Personal data must not be stored longer than necessary
Commercial processes entail different obligations to a request for information (and this can even vary by sector)
Security and confidentiality – Question: Who?
- Personal data must be protected
- Sufficient measures must be taken to limit access and make any transfers secure
Have you thought about the personal data of your own employees?
Accuracy – Question: How?
- The data collected must be accurate
- If necessary, it must be possible to adjust and immediately remove data on request
Have you taken the necessary steps together with your Customers/Clients?
Correct processing – Question: Familiar with the six rights? (for those who have not read the previous article, these are discussed in the conclusion)
2. Personal data
Which personal data are included?
To answer this question properly and clearly, we need to define personal data.
What are personal data?
- Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number or telephone number, location data, photographs and so on.
- All data relating to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
A Contact Centre manages and/or collects a lot of personal data for its Customers/Clients, as well as personal data from its own staff. Don’t forget them!
When may a Contact Centre use personal data?
- To perform a contract
- Name, address, e-mail address and so on, e.g. for sending an invoice
- For a legitimate interest
- To offer extra value to the customer through a new service
- To prevent fraud
- If a person has given his or her consent for one or more specific purposes
- The person has indicated that he or she may be contacted for marketing purposes
- For compliance with a legal obligation/for reasons of public interest
- To protect an individual’s vital interests (medical emergency)
Where is the distinction made with sensitive personal data?
Sensitive personal data are a specific subcategory which may not be processed without explicit consent. These include:
- Data revealing racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Membership of a trade union
- Data concerning health
- Data concerning a person’s sex life or sexual orientation
Does a Contact Centre use any sensitive personal data at all?
The files that Contact Centres manage and use for their Customers/Clients do not usually contain sensitive personal data, not counting national numbers.
Of course, usually does not mean never. Every project is different. In the medical and healthcare sectors, for example, the rules need to be defined even more clearly.
To cover all the bases, we will summarise what is/is not allowed and in which circumstances.
When may a Contact Centre use sensitive personal data?
- If it has received explicit consent from the individual (opt-in)
- If the information is public (political mandate)
- If the information is made public by the person in question
- If it is in the vital interest of an individual (medical emergency)
- If it is legally required (public interest)
- If it concerns scientific projects or statisticsIn short, a lot to take into account. This is another area where all employees must be fully aware of what they are doing with regard to data management.
3. Our GDPR-proof conclusion
Six principles govern the collection, storage and processing of personal data:
Contact Centres do not require explicit consent to use personal data, unless it is sensitive personal data. This does not mean that the six basic rights
we discussed in our previous GDPR blog do not need to be respected. On the contrary, they must be applied at all times. Every individual, whether customer or employee, must be informed or be able to find out about this.
How we handle it:
- We inform the joint bodies.
- Our entire staff is trained and constantly encouraged to develop and use the right GDPR practices.
- We provide the resources required to process personal data securely.
- Our systems have been reviewed and adapted where necessary.
- We consult with our Customers/Clients and offer them approved transfer methods.
- We have clearly defined the time limits for storing personal data internally and apply them strictly.
- GDPR roles and responsibilities are clearly defined and formalised in our contracts with Customers/Clients and any subcontractors. We have also considered:
- managing access to and use of recordings;
- obtaining customers’ consent to collect and use their personal data;
- appointing a Data Protection Manager and Data Protection Officer, responsible respectively for protecting data and implementing the principles within our organisation.
- The channels through which we exchange personal data are protected by excellent software.