BACKGROUND IMAGE: stock.adobe.com
It's one thing to write a plan and file it away on the computer or a bookshelf; it's quite another to roll out a straightforward plan with which all your call center agents can actually comply. This includes bringing them up to speed on changes and introducing tools and practices around policies like the General Data Protection Regulation, with which companies must comply by May 25.
The official guidelines for the regulation say very little about the amount of training required and suggest that companies adopt privacy by design. This leaves it up to enterprises and their digital privacy officers to develop best practices for their particular business needs. But, whatever you do, you have to document how this approach meets General Data Protection Regulation (GDPR) goals. The caveat is that poor training could lead to complaints and fines.
There is a lot to unpack relating to the security of a GDPR call center plan, the location of data and who processes it, which is beyond the scope of most call center agent training. But there have been some important changes to the definition of personally identifiable information (PII), which needs to be flagged.
Call center agents also need to learn new processes and tools to quickly submit the requested changes and know how to respond when they can't. They also need to learn how to explain policies and the rationale for decisions in plain language.
New items to include in the GDPR call center plan
Call center agent training will need to cover the new definition of PII, which includes a variety of new types of information, in addition to traditional things, like health data, ID numbers, addresses and credit card information. It now includes pretty much anything you can collect about someone including IP addresses, pictures, location data, online behavior, profiling data, race and religion.
When individuals ask about their information, agents also need to know how to find out what data is associated with that individual and where it came from.
Companies also need to train workers on new tools and workflows related to flagging this information and responding to requests. This could involve just adding a new screen to the call center app with buttons that enable agents to make changes directly or to submit a request to back-end systems that could propagate the request through the various enterprise and cloud services that hold the data.
GDPR does offer some leeway for removal and change requests -- companies have up to a month to make most of those changes.
A GDPR call center plan for agent training also needs to focus on changes that might affect customers and users. For example, would removing someone's data also delete his warranty records? And how exactly do you record someone's request to be placed on a do-not-call list when that person asks you to delete everything? A lot of these scenarios are still being worked out. Call center managers need to think through some of these scenarios in order to train agents to respond to them in a timely manner.
It's also important to keep in mind that compliance regulations require many businesses to retain some data in order to fight money laundering and to reduce fraud. When an agent can't make a change, he needs to be trained to explain why.
Call center agents should also be able to explain why a decision was made in plain language. This will be important in industries like finance, in which agents must explain things like why a loan application was rejected.
When creating a GDPR call center plan that tackles agent training, there is also an opportunity to take advantage of these changes to improve the call center agent experience. The process of rethinking the information presented to agents could also open up opportunities to improve customer experience or make better up-selling recommendations.
Find a pragmatic training strategy
Tom Pendergast, chief architect of MediaPro's Adaptive Awareness Framework for security and privacy training, said there were two ways to approach call center agent training in a GDPR plan. A cynical approach would simply require everyone to go through a short training and then promise to follow policies. This would be as simple as buying an off-the-shelf training program and declaring the call center GDPR-compliant.
"But this could come back to bite them with breaches or misdeeds," he said.
A more thoughtful approach would involve training employees to dramatically rethink all their processes for handling data from beginning to end. This is not just learning the basics, but also training employees to become aware of privacy incidents in the same way many companies report security incidents today. For example, employees might file a report for little things like sensitive documents left by the fax machine, or bigger things like a remove data process that didn't actually remove all the data.
In the short term, a GDPR plan mandating this kind of process may look kind of ugly as employees start to see problems that were previously common practice. But, over time, this could lead to a culture of respect for customers that builds the company's brand and improves their customer experience.
"That cultural shift is at the heart of the path to GDPR training compliance," Pendergast said. "Companies need to create a culture that expresses respect for the data rights of the individual if they will ever succeed in complying with GDPR."