Happy Anniversary General Data Protection Regulation (GDPR)! It’s been a year since the new regulation came into effect, and it’s time to see how it’s delivered on its promises.
After the mass panic in the weeks leading up to the GDPR’s implementation, there was a brief lull: one month later, it seemed that many organisations were either ignoring it or struggling to implement it. Uncertainty prevailed about whether the threatened fines would in fact be imposed, but the doubters were proved wrong. Fines worth €56m from more than 200,000 reported cases were imposed in Europe – although it’s important to note that €50m of this was a fine for Google alone, from the French data watchdog CNIL.
So, How’s It Been for the Customer?
The GDPR exists to empower and protect customers, putting the control of their personal data into their own hands. But have customers recognised this, or taken advantage of their new powers?
The answer is yes… to a point. Data privacy management company TrustArc recently carried out a survey with Ipsos MORI and found that 36 per cent of respondents in the UK trust companies and organisations with their personal data more since the GDPR came into effect one year ago. A good percentage but not earth-shattering. The survey also found that 57 per cent of respondents would be more likely to use websites that have a certification mark or security seal of approval to demonstrate GDPR compliance.
Consumers have been exercising their rights. The same research showed that 47 per cent of respondents have exercised their GDPR privacy rights by sending one or more of eight requests to a website, company or organisation. These included requests to erase, correct, access or transfer data or to restrict the use of personal data; complaints to a regulator or opting out or unsubscribing from email marketing or cookies. The last of these was by far the most common, however, at 38 per cent. Only three per cent of people had complained to the regulator.
The breach reporting requirements of the GDPR appear to have been adhered to. It is now mandatory in all member states to alert the national regulatory body within 72 hours if the breach can result in ‘a risk for the rights and freedoms of individuals’. Companies are also obliged to inform their customers without delay if a breach of their data has been detected.
So far 59,000 data breaches have been reported post-GDPR according to research from global law firm DLA Piper. The UK alone counted 10,600 breaches, while the Netherlands topped the table with 15,400. Fines for any breach can vary greatly – up to €20m or 4 per cent of annual turnover. In the majority of cases, however – with the exception of the Google fine mentioned previously – it would appear that the data watchdogs have rewarded prompt reporting by taking investigations no further. This is reasonable and in line with what we predicted at Semafone last year; the regulators want to work with us to protect customer data; not against us.
The Next Step – the CCPA
The next big piece of data privacy legislation is the California Consumer Privacy Act (CCPA), which comes into force on 1 January 2020. Already we are seeing echoes of the GDPR. Some organisations are dragging their feet and we anticipate a sudden panic towards the end of this year.
In contact centres, PCI DSS compliance goes a long way toward meeting the needs of the privacy regulations. At the heart of our philosophy is the principle that if you don’t hold someone’s data then it can’t be stolen. Whether you’re reviewing your GDPR policies a year on, gearing up for the CCPA or simply considering what more you can do to protect your customers’ data, then it’s a principle to bear in mind. They can’t hack what you don’t hold.
For practical advice on how to keep your contract centre on the right side of the GDPR, click here.