How can you make your Contact Centre GDPR-proof?
The General Data Protection Regulation (GDPR) sets out us new, more specific guidelines on data protection. Given the advent of all the new technologies and direct marketing carriers over the past 10 to 20 years, it was high time to renew the legislation in this domain. After all, it was last adapted in 1995!
So what may actually still be done with personal data?
The six most important personal basic rights are:
- The right to access acquired data Individuals reserve the right to request at any time that a company provides the data collected about them.
- The right to protest Individuals may always refuse to permit the use of their personal information.
- The right to rectify information Individuals may ask to adjust or improve their personal data at any time.
- The right to limit processing Individuals may let it be known at any time that they no longer agree to their information being processed further. Previously given permission may be withdrawn at any time.
- The right to data portability Individuals may at any time ask to be given all the personal data collected about them in a portable format (pdf, csv, xlsx files, etc.).
- The right to erase data Like the ‘right to be forgotten’, this entails individuals’ entitlement to ask an organisation to delete some or all data about them at any time.
At the same time, these explicitly stipulated rights suggest some implicit restrictions.
What role does a Contact Centre play with respect to managing data?
One frequent characteristic of contact centres is that you are not the owner of a large proportion of the customer data with which you work on an operational level. These stem from your Customers/Clients. This means you need to consider various roles. When managing your employees’ data and contact details, you are the Data Owner and Controller. When managing customer data entrusted to you by your Customers/Clients, you are the Data Processor and they are the actual Data Controllers and Owners. And what about the information which Data Processing entrusts to you, which you then complement with data on your employees and give back to your Customer/Client? This makes your Customer/Client the processor of the data you own. It’s all rather complicated.
Our plan of attack
Back in March 2017 we immersed ourselves in the material on the GDPR. This scrutiny stage was followed by many discussions and training sessions, both in-house and externally, to ascertain the impact of the new legislation on our domain and specifically on our organisation. Our team thought long and hard about how we could resolutely ensure that the aforementioned rights can be respected within each of our roles (as Data Processor, Data Owner or Data Controller). For our Customers-Clients, we drafted a specific GDPR annex to their contracts, giving them the certainty that we handle their end-users’ (and their own) data in a GDPR-friendly manner. In addition, we also ensured that our personnel policy is fully ‘GDPR-proof’. Many different people work for our organisation, and we, too, work for many different people. So there’s a lot of data to take into account, a great deal of thinking and organising to do.
The challenge is how to inform and raise awareness among your employees?
Because it’s a specific characteristic of our sector that employees work to different schedules and often from home, we needed to come up with what is for us a more efficient method than, say, arranging workshops.
We opted to develop an e-learning course for all colleagues (at each level of the organisation). The video explains, step by step, what can and cannot be allowed within the context of the GDPR. The e-learning course ends in an exam requiring a really high score (90%) to pass. If the score isn’t that high, the entire e-learning course must be retaken until the exam is passed. Subsequently, a Code of Conduct stating that we understand the GDPR legislation and have taken it on board is submitted to each of us to sign.
As a Contact Centre, you are a Data Processor as well as a Data Owner and Data Controller. Where customer data are concerned, the Data Controller and Data Owners are your Customers/Clients and you are the Data Processor. When you return processed data to your Customers/Clients, you are the Data Owner and they are the Data Processor. As for your own internal organisation, as a Contact Centre you are the full data package.
Consequently, it takes a great deal of effort to get your Contact Centre ready to work in a fully GDPR-compliant manner. The main thing is to make clear who serves in which role in which situation. Once that’s been specified, every individual within your organisation must systematically be informed and sensitised. After that, every employee must explicitly state and acknowledge their commitment. The logical next step is to develop a number of (new) reflexes in your daily work, including when exchanging data files in any direction. For every such exchange, it must be documented how and why these data will be used. Common sense will already get you pretty far, combined with knowledge of the issue at every level.
So we’re ready.