EU data protection law is changing…. is your contact centre ready?
By Craig Marston, Director of Business Transformation & Compliance at Gradeon.
The EU General Data Protection Regulation (GDPR) will come into effect on 25th May, 2018. It is set to change the European privacy landscape and it will greatly impact organisations, particularly contact centres.
The regulation is designed to provide consumers with more control over their personal data. Non compliance could result in fines as high as €20 million or up to 4% of global turnover
However a recent study by Crown Records Management of IT decision makers in the UK has found one in four businesses in the UK say they have cancelled all preparations for the EU General Data Protection Regulation in the misunderstanding that it will not apply after Brexit, the new research reveals.
Be assured GDPR is going to affect UK businesses offering any type of service to the EU market, regardless of whether your business stores or processes data on EU soil, and whether the UK stays in the EU or not.
Here are some key points that may help you comply with the changes and minimise risk;
Data management is essential to comply with GDPR
Stronger accountability is an important principle of the GDPR and requires insight into the processing of all personal data held. New, explicit definitions of consent will be introduced, along with consumer rights to delete, amend and transfer data. There will be more emphasis on knowing what personal data you have and how you process it.
The GDPR puts emphasis on consumer rights. In order to be able to exercise these rights, you need to know everything about your personal data. To facilitate your clients, employees and business partners, knowledge about their data is essential. Software tools for managing personal data are becoming increasingly available and will prove essential to many organisations going forward.
Do not re-invent the wheel
Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA), so if you are complying properly with the current law then most of your approach to compliance will remain valid under the GDPR and can be the starting point to build from.
On some topics the GDPR goes further, and implementation decisions are more explicit. Build a proper base for GDPR compliance by analysing the risk of processing personal data in your organisation. This will enable you to prioritise the many actions you will likely need to take, and minimise your risks in a short amount of time.
Review internal policies and processes to identify “gaps”
Review internal policies and processes to ensure data is protected, governed, managed and utilised effectively in line with the organisation’s strategy. Also cover technological challenges such as data access requests, data retention, notification of a breach and international and 3rd party data transfers.
Undertaking a GAP analysis of your current processes and controls is advisable. This will provide useful data to navigateyou through the requirements and provide a road map for achieving compliance with GDPR. You will be looking to understand how your policies and proceses fit in with regard to the new regulations and what changes to things like process, security, training and planning you need to make or implement to comply.
Culture and Awareness
A solid governance structure is essential to standardise privacy and develop privacy by design and default. To create a cultural and organisational change for GDPR compliance within your organisation, buy-in from employees and stakeholders is very important. By developing internal guidelines for employees, compliance with legal requirements for data processing and securing data can be ensured. Incorporate training and awareness programmes for everyone who is going to be involved in the processing of personal data. Your organisation can also consider subscribing to an industry code of conduct or creating internal guidelines and a review process for data analytics.
Leveraging customer relationships
Complying with latest legislation can be an enormous investment not only in money but time as well. To help with this just bear in mind thatcomplying with the GDPR will help you greatly in building trust with consumers, which will improve your relationship with them. In addition, complying with the GDPR principles helps mitigate risk and reputation damage.Data Protection is something that matters to consumers. Numerous surveys conducted over the past 5 years have shown that consumers are becoming increasingly concerned over how their data is used and the controls they have over it. Being able to demonstrate full compliance with the GDPR and show an ethical approach to how you handle consumers data means that you more likely to stand out from the pack, which will in turn open opportunities to build stronger relationships with your customers.
Craig Marston is the director of governance, risk and compliance experts, , established in 2015. Clients include Superdrug, Tripudio, Iglu and Target. Gradeon have been working to deliver the framework for businesses to question, evidence and report on the GDPR as well as ISO, PCI, SOX and other regulatory standards. Recently they have designed a flexible, scalable platform that can run on-premise or as a SaaS service and is adaptable to real-life business change and operations.
For additional information on Gradeon visit their Website