Are you one of the nearly 90% of Asia Pacific businesses that knows little or nothing about the EU’s upcoming GDPR change that comes into play on 25 May 2018?
The scary part is that if you fail to comply with the regulation requirements, you could be slapped with administrative fines up to €20 million, or in the case of an undertaking, up to 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher.
What is GDPR?
The General Data Protection Regulation (GDPR) requires organisations around the world that hold onto data belonging to individuals from within the European Union (EU), to provide a high level of protection, know where every single piece of data is stored and to abide by the articles.
The GDPR is centred on rights of individuals, and places a hefty responsibility on organisations. It contains 11 chapters and 91 articles. The following are some of the chapters and articles that may have the greatest impact on Australian contact centres providing services to European residents:
- Consent must be provided. Article 12 states that organisations must obtain EU residents’ consent for data capture and processing and the terms of consent must be clear and not provided in confusing legalese or jargon. Consent must be easily given and freely withdrawn at any time.
- Data must be protected. Articles 33 & 33a state that companies need to perform Data Protection Impact Assessments to identify risks to consumer data and Data Protection Compliance Reviews to ensure those risks are addressed.
- The right to control. Articles 17 & 18 refer to EU residents being able to instruct businesses to not build user profiles on them, and can order the transfer of their personal data between service providers more easily (also called the “right to portability”). In certain circumstances, they may direct a controller to erase their personal data.
- The right to access. Article 15 relates to EU residents requesting details of any data held on them, including what you use their data for, if you have sent the data elsewhere and to whom (or you intend to), how long you’ll keep their data for, and where you got their data from, if not from them directly.
- The right to be forgotten. Article 17 relates to requests for deletion of a EU resident’s information from your data storage. This request must only be fulfilled if the data stored breaches one of 6 conditions.
And yet another regulation
EU Citizens may be required to opt-in for marketing. Alongside GDPR there is another regulation called E-privacy (still in proposal review stage) which will tighten the rules on marketing, with the default position being that all marketing to individuals by phone, text or email must be opt-in.
The two regulations combined are designed to provide greater protection around the use and storage of individual data on EU residents.
Do Australian companies need to comply?
Yes they do, if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU (irrespective of whether payment is required). So you need to check the residency status of the prospects and customers you have on file.
Are there GDPR implications for Australian contact centres?
With data protection being the crux of the regulation, contact centre software, credit card transaction devices, call recording software and service/case management platforms must be GDPR compliant, for services provided to EU residents. The new, stricter set of rules around how data is captured and stored will place much tighter regulations on call recording and archiving.
The extent to which GDPR will affect Australian contact centres is a grey area, and at this stage probably only to relevant to those businesses who have EU residents as customers or prospects.
Things which may require further investigation include:
- GDPR Compliance scripts read out by agents.
- Justification for call recording. Contact Centres can only record a call for one of six reasons.
- The storage and recall of data. How long it will take to be provided (must be within a month) and is it provided in the digital format requested by the EU resident?
- The erasure of data, including text records, call recordings and other communications, across all channels.
- Security of data, beyond credit card info. GDPR requires secure storage and management of all personal customer and employee data.
- Compliance of notification periods of breaches of data.
- Implementation. Article 5 of the GDPR says that organisations must be able to demonstrate compliance with all the principles relating to the processing of personal data; organisations must also implement appropriate technical and organisational measures, including data protection policies, to ensure and be able to demonstrate that processing complies with the GDPR under Article 24; and Article 25 stipulates that organisations must implement technical and organisational measures to show that they have considered and integrated data protection into their processing activities — “data protection by design and by default”.
What to do now
If your organisation does hold data about EU residents, then we recommend starting by performing an audit to
- identify what information you hold and where it came from
- assess the security of the data as it moves through your system
- check your compliance with GDPR requirements.
Having the right contact centre technology in place, that is integrated with back office systems, and securely stores and retrieves data and recordings, will facilitate management of GDPR compliance a lot smoother.