Designed to create a single standard of data protection across all European Union member nations, the EU General Data Protection will be the world’s first and largest international legislative act around data privacy of its kind. Whether or not an organization is based in the European Union, the regulation will have far sweeping consequences and will require compliance for any entity that processes the private data of European citizens.
The European Union’s General Data Protection Regulation will provide broad reaching oversight around the way the private data of consumers is handled by any company who does business with citizens of the European Union.
Scheduled to go into effect on May 25, 2018, the regulation will go into effect in all EU member states.
Organizations that do not comply with the standards outlined in the legislation will face significant fines.
Despite companies based in the United States and Canada not having a physical presence in the EU, if they process and hold the private data of any EU citizen, they will be subject to comply with the regulation, or face the consequences just like any other organization.
While the EU General Data Protection Regulation outlines many practices for the treatment of consumer personal data, there are several major stipulations to which companies must pay particular attention.
Learn more about the main tenets of the EU GDPR and what they mean for your company or organization.
Breach of compliance could result in fines of up to 4% of global revenue or €20m, equivalent to roughly $23.4m (whichever is greater).
This is dependent on the severity of the breach and the organization’s ability to prove that there were initial measures in place (or not) to protect customer data.
In addition to paying the government, organizations may also have to make pay-outs to customers.
On top of the official fines, your company may also be required to pay customers damages in the event of data loss or theft.
Organizations will need to appoint a Data Protection Officer.
Whoever holds this position will be responsible for managing data protection and data privacy, and free to give recommendations or feedback without fear of negative consequences. This only applies if an organization handles ‘significant’ volumes of data, typically not applicable to small to medium-sized enterprises.
The EU rules apply to anyone trading in Europe.
Regardless of whether an organization is headquartered in the EU or not, companies will still have to comply with the data protection regulations if they plan to offer services within the EU. More generally, the new rules will mean tighter controls on protection of data no matter where it is sent, processed or stored.
The laws reach beyond just the one organization.
Any organization or individual that processes data will be held responsible for its protection. This means that any third-party organization processing customer data will also be subject to the EU GDPR.
A time limit to report breaches has been set.
All data breaches must be reported to the appropriate regulatory body within 72 hours.
The European Commission defines personal customer data as “any information relating to an individual, whether it relates to his or her private, professional or public life.” Under this definition, personal data can count as any of the following:
Because of the GDPR’s broad reaching definition of personal data, with something as common as a customer’s name or email address falling under the designation, most contact centers will find themselves processing at least some kind of personal data. This means that if your contact center deals with citizens of the European Union, your organization will have to comply fully with all of the standards outlined in the GDPR.
By requiring contact centers to take the protection of sensitive customer data more seriously, the GDPR will push organizations in the right direction to reduce the amount of vulnerabilities in one of the most susceptible areas of a business, and hopefully drive down the risk of a data breach.
Semafone’s Cardprotect provides patented data capture software that prevents personal data from entering your internal contact center systems. This means that in the event of a data breach, the data is not present and, therefore, cannot be exploited. Not only does this protect you from the risk of fraud and the associated reputational damage, it also ensures you are compliant with industry regulations such as the Payment Card Industry Data Security Standard (PCI DSS).
The software uses DTMF masking technology, which allows your customers to type their sensitive details, whether that be payment card numbers, bank details or other personal information, directly into the keypad without having to worry about them being overheard or stolen. This also means they can stay in constant contact with your customer service representative during the entire transaction, which improves customer service and satisfaction rates.