It has been almost a year since the European Union GDPR (General Data Protection Regulation) came into force and we’re all starting to relax. That mad panic in the weeks before May 25th 2018 has faded in our memories and it might be fair to say that some companies have become just a little bit complacent.
For any organisation thinking that the GDPR has gone away, it’s time to think again. (Curious about the difference between GDPR and the DPA?) Just because the Information Commissioner’s Office hasn’t been busy issuing heavy fines, you still need to make every effort to comply with the regulation. It’s there to protect everyone – customers and companies alike – and it’s the law. And when it comes to customer information, contact centres are on the front line.
There’s no doubt that it can be daunting for organisations to consider the impact of the GDPR when customer information resides in so many different areas, from customer services to technical support to sales and marketing. In contact centres, there is the additional challenge of all the channels that now exist – customers may be sharing their data through text, telephone, email, webchat or even social media. And of course there is call recording to take into consideration.
Last year we produced a guide to help contact centres to prepare for the GDPR. If you still feel that your own GDPR journey isn’t quite over yet, you can download the full version here – or refer to the summary below, which outlines the key steps you’ll need to take.
Step 1: Get Your Data Handling Right
Understand (and Track) Your Data
The first step is to identify exactly where your customer data is being held. By mapping out your systems, you will be able to keep track of a customer record journey from the moment it first enters your organisation. At no point should records holding personal data simply disappear into an archive. If a customer wants to be removed from your database, you need to be able to do so completely, from all parts of the organisation, and within a maximum of a month.
Make Sure You’ve Got a Good Reason for Every Customer Record You Have
One of the key points of the EU GDPR is that you must have a legitimate reason to be holding the customer’s data. Keeping the details of former customers on record simply so you can send them marketing messages won’t do. If your data was lost or stolen, can you justify why you were holding it? When it comes to ultra-sensitive information such as health information, you need a cast-iron case, so if you’re in doubt about whether you should be holding a record, don’t.
Encryption isn’t a Silver Bullet, But It Helps
Any data that you hold should be encrypted, and/or tokenised, whereby sensitive data is substituted with “tokens”, which are data elements that have no meaning by themselves. It’s also important to hold personal information separately from all other data, ensuring that complete records exist only when actively needed. However, it’s important to note that although encryption adds a layer of protection to your customer data, it is not an absolute barrier. If you can decode it, so can someone else.
Part 2: Focus on Your People
Minimise the Insider Threat
Human beings are still the weakest link in the chain when it comes to security. You need to trust your staff, but you can help them a lot by always applying the principle of “Least Privilege”, so nobody is exposed to any data that they don’t need to see. Too often, in a contact centre, new agents will be given access to a customer’s entire record in the CRM database when all they need is a name. By limiting this, you can significantly decrease your risk exposure.
Another essential element to this process is self-authentication. If the customer is able to enter their own details, while the service agent sees only the confirmation of a successful or unsuccessful transaction, both are protected further from the threat of fraud. With technologies such as DTMF masking, which can disguise key tones so that numbers can’t be recognised by their sound, this approach is possible for telephone transactions as well as online.
Train Your Team
Regular training in procedures for everyone in the contact centre is essential. Not only do your customer service agents need to be fully competent in the basic procedures such as changing passwords and being aware of phishing and spear phishing attacks, but your contact centre managers must be reviewing access levels regularly and ensuring that policies are kept up to date.
It’s also important to make sure your agents watch their language when they take notes. Under the GDPR, customers can invoke a Subject Access Request (SAR) in order to gain access to the comments logged during a call. It will no longer be possible to issue a charge for this so we expect the number of requests to increase. Everyone knows how tempting it is to vent one’s feelings in writing after a difficult call, but make sure your team knows that the customer could end up reading any comments they make!
Step 3: Think Outside Your Own Organisation
Other Regulations Help!
If you are compliant with the Payment Card Industry Data Security Standard (PCI DSS) then you are already halfway there. You’ll have the policies in place for handling customers’ credit and debit card details, so extending this to include all personal information will not mean starting from scratch. The ISO 27001 standard will take you even further, so it’s an investment that is well worth making.
Your Partners are Your Responsibility
Beware of outsourcing. The EU GDPR makes it clear that you are still responsible if one of your partners allows a data breach to take place, so make sure you are fully aware of exactly who else is handling any of your customer data. It doesn’t matter whether they are based outside the EU – if they are handling the data of EU citizens, the EU GDPR still applies.
And Finally… Don’t Forget to Protect Your Team
When you have so many concerns about customers, it’s easy to forget the GDPR also applies to your own employees. Don’t let your eagerness to protect your customers’ data forget that your staff have a right to privacy too, so make sure that your procedures for handling internal data are just as rigorous.