The forthcoming General Data Protection Regulation (GDPR) introduces an immediate need for Contact Centre Managers to fully understand the implications that this legislation will bring operationally. Whilst it is easy to view the new regulation as just being another tick in the box, organisations should view this as an opportunity to get their own house in order, treat personal data in the way that they would wish to have their own personal data treated, and in addition, use GDPR to its competitive advantage.
The following are some key consideration areas for Customer Experience and Contact Centre owners to focus on right now:
1. Systems and Processes
With data protection being the crux of the regulation, contact centre software, credit card transaction devices, call recording software and Service/Case Management platforms must be GDPR compliant. The rights of data subjects (such as access to their data and receiving copies of the data) need to be supportable by all these platforms, and may require new business processes in order to comply.
2. Outsourcing considerations
Organisations who choose to outsource their contact centres need to be aware that they are still the data controllers, and must take steps to ensure that their respective service providers have systems and processes which are compliant with the GDPR.
3. Storing, processing and accessing personal data records
Contact Centres are handling personal data (emails, names, addresses) every second of the working day, and as such must understand where every single information asset used by employees exist today (a system, a device, a spreadsheet, an app) where personal data exists, and assess each related process by applying data protection impact assessments, and then reconcile their findings against the new obligations and remedy. Duplicate data may need to be cleansed, through manual effort in some instances, and consideration should be made toward the simplification of fields in certain systems by only recording what is needed.
4. Compliance standards
The new regulation is partly underpinned by existing information security and data protection standards such as ISO 27001 and PCI. Organisations who have contact centres, or an outsourced contact centre, should consider becoming ISO 27001 compliant themselves, and ensure that their outsourced providers utilise the same, or similar, framework. This approach serves to embed security into the culture and process of your organisation, and allows you to address GDPR regulation as part of a systematic approach to data protection alongside ISO 27001.
Whilst the framework described above paves the way to better processes and internal security awareness, it goes without saying that technology is going to play a key role in ensuring organisations are compliant.
Anti-malware, multi-factor authentication, email security, data loss prevention and access identity management solutions are commonplace now, and will contribute significantly to the GDPR compliance challenge.
As the frequently used expression goes “GDPR is not an event it's a journey”.
Olive’s overall recommendation to Contact Centre owners is in the absence of any GDPR compliance certification or framework, becoming ISO 27001 compliant is a giant leap to ensuring that data protection and information security are part of everyone's working day, and not another Y2K which quickly fades away into the distant past.
Organisations concerned about where to start, and who do not apply a systematic approach to security through a recognised accreditable standard should consider obtaining Cyber Essentials and Cyber Essentials Plus accreditation - a relatively low-cost step which, once achieved, provides a kite mark to demonstrate that you take cyber security seriously. This forms the basis for launching into a business-wide Information Security framework such as ISO 27001, which will go a long way toward the GDPR compliance journey.
7. PCI compliance
If your contact centre performs credit card transactions, ensure you are PCI compliant. Olive partner with leading PCI compliance partner Semafone to provide a simple, cost-effective solution to taking card payment transactions over the telephone.
8. Demonstrate your commitment
It should be recognised that showing intent is absolutely key to reducing the likelihood of large financial penalties and damage to your organisation's hard-earned reputation. Even small steps such as implementing secure printing or enforcing clear desk policies (where personal data, password etc simply cannot be left around) are seen as showing intent in the eyes of the enforcer - they won't make you compliant, but they can kickstart the program, raise the awareness of the importance of data protection and the GDPR, and finally reach the point of compliance.
Contact Centre leaders need to work closely with whoever is running the GDPR program, and should familiarise themselves with the regulation information at ico.org.uk