Many organizations, particularly in North America, think that the EU’s General Data Protection Regulation (GDPR) doesn’t apply to them. On May 25, 2018, the day the GDPR went into effect, I happened to be in Canada doing an in-person workshop with a large financial services client. In a session about contact center trends, I mentioned GDPR — only to be greeted with blank stares and “What’s that?” from the room. On the day of implementation!
GDPR doesn’t just affect European companies. It has global reach, and momentum for similar consumer privacy regulations is growing in the US, as well. We conducted interviews with GDPR experts, privacy consultants, and technology vendors to understand what customer service organizations need to know about the GDPR and GDPR-like regulations that are coming down the pipe. In Forrester's report and webinar, we identify three aspects of compliance for customer service organizations to focus on:
Consent management. If you’re using consent as your legal basis for processing data, there are three aspects you’ll need to focus on in the contact center. Identify and map the context of the consent you obtain, capture a record of the initial consent, and then document and manage those records of consent across channels and time. Humans are fickle — a consumer or individual may decide to revoke consent on one channel but not another or for one processing purpose but not another. Prepare for this with rigorous tracking and documentation processes.
Customer data access and retention management. This is the hardest piece of compliance in the contact center from a logistics standpoint. Because customer data lives literally everywhere, brands are facing significant hurdles when attempting to comply with customers’ requests to retrieve or access their data. With multiple touchpoints and tons of unstructured data, you’ll need case management systems to manage customer requests for access, solid data governance, and customer journey mapping exercises to discover less obvious customer data repositories.
Incident management. If you are hit with a data breach or other incident, how your organization responds will be a determining factor in how severe the costs are, in terms of both public backlash and regulatory penalties. If you’re serving EU customers, you’ll need to shore up your breach notification processes to comply with the GDPR’s 72-hour notification requirement. You also may want to consider using a specialist outsourcer to manage the spike in customer service volume that often results from a breach. However, make sure that whichever outsourcer you use, they are maintaining GDPR compliance, as well.
Don’t put your brand at risk by ignoring regulations like the GDPR — they’re steadily gaining momentum around the world, and your blank stares will only run you afoul of data protection authorities in the event of an unfortunate data incident. Review your strategy with your data protection officer, and if your company doesn’t have one, make some noise! With the implementation of the California Consumer Privacy Act looming, now is not the time to lag behind on privacy. It’s a long and difficult journey, but making privacy a priority will reinforce customer trust, drive revenue, and protect the brand.