Organizations of all sizes doing business in the Europe Union will be affected by the General Data Protection Regulation....
Even though larger companies with more than 250 employees were initially targeted as requiring a data protection officer, smaller companies that process large volumes of private data may also need to hire a DPO.
In addition, companies must have a process in place to document their privacy policies for GDPR call center compliance. Larger companies with more complex processes will need to consult with lawyers and privacy consultants to customize their process documentation.
That may be a bit much for companies doing only a minimal amount of business in the EU, according to Margaret Alston, lead consultant at TrustArc, a privacy consultancy. After doing the math, she said, some companies are opting to close their European businesses rather than work through GDPR compliance issues.
Companies should consider working with a lawyer to establish the legal basis for the various processes.
Scott Pinkcybersecurity special counsel, O'Melveny & Myers
"GDPR is a regulation as a force of law, so any interpretation or application of that [regulation] requires someone that can apply the law to the particular set of facts of the client," said Scott Pink, cybersecurity special counsel at the law firm O'Melveny & Myers.
Call in the call center manager
In some cases, business executives -- typically a DPO, CFO, chief reputation officer or in-house legal team -- will need to have a privileged conversation with an outside attorney.
Pink offered a scenario in which call center managers are included in these conversations to ensure they fully understand their obligations and responsibilities. Outside lawyers can provide a certain amount of independence, as well as the benefit of working with a variety of clients.
For GDPR call center compliance, the key issue is establishing the legal framework for interactions between call center agents and customers, as well as their data. Debt collection companies are going to have different considerations than banks, telcos or vendors. B2B firms will have different processes than B2C firms. Outgoing call centers will have different requirements than those dedicated to inbound communications.
During these high-level legal conversations, a call center manager can identify and prioritize certain functions of the call center. Lawyers can provide the legal basis and guidelines to support these processes. Once the lawyers sign off, call center managers will need to frame these guidelines for call center reps.
Margaret Alstonlead consultant, TrustArc
Legal GDPR call center compliance is an important first step, but call center agents need to know how to properly communicate these policies to customers, prospects and users in a non-threatening manner.
"Problems can arise even when you are following all the legal guidelines if people are not happy with the process or the style of the agent," Alston said.
GDPR requirements can impact companies in different ways depending on their industry vertical. Industry trade associations can provide paperwork and process templates that might help narrow the list of compliance concerns for large and small companies.
Inbound vs. outbound concerns
Outbound call centers need to establish the legal basis for placing a call. That can be particularly challenging when making cold calls. Companies need to establish a policy around consent or the legality of placing outbound calls. The barriers are lower for B2B calls, but they still require justification, Alston said.
Inbound call centers also need to establish a policy for identifying privacy incidents and breaches. The call center is often the first line of defense to detect privacy and security breaches, Alston said.
Individuals that call in with a complaint usually don't recognize that a breach has occurred. Rather, they might say, for example, that they can't log into their account or the amount of money in their account has been changed. Agents in a GDPR call center, therefore, need to be trained to identify a potential breach.
Once the first sign of a breach has been detected, the clock starts ticking, and the company has just 72 hours to notify everyone affected. That's why the call center manager must work with the DPO, security team and IT team to have a process in place to quickly recognize, report and resolve a breach.
Here are some questions that need to be addressed and documented.
- What is the legal basis for keeping all the information stored in an individual's records that might show up in CRM systems?
- How will the call center respond to requests to remove information?
- How will the call center respond to requests for data in a machine-readable format?
- How will a user be notified after a change has been made?
- What is the legal basis for keeping information that someone might want removed, and how will you explain that to a customer?
- How will agents respond to calls from minors requiring parental permission?
- What private information is presented to call center agents, and how is it protected from abuse?
- What is the legal basis for contacting individuals?
- What is the process for flagging individuals who don't wish to be called?
Keep partnerships compliant
A company's outside partnerships may be impacted the most by GDPR, according to Pink of O'Melveny & Myers. That's relevant especially for call centers that rely on various software tools to enrich customer data or provide various call center services.
"You need to look at whether a proposed or existing partner is able to comply with the requirements of GDPR to the extent it applies to data," Pink explained. "The more data you give them, the higher the risk that you will fall outside of the protections or scope of GDPR. Then, if you are giving them the data on your behalf, you have to have a legitimate reason to provide a legal basis for doing so."
When it comes to partnerships, here are some important questions to address and document to ensure GDPR call center compliance:
- Can the partner companies respond to requests?
- What is their data incident plan?
- What is their security setup?
- Can they provide a process report?
Cost considerations may encourage companies to keep GDPR compliance to the bare minimum. But, in the long run, a good compliance strategy could reduce costs and risks. The compliance process could help managers handle data more efficiently and cost-effectively, while also potentially mitigating risks.
GDRP establishes principles to prevent companies from retaining data longer than necessary.
"If you really follow those principles," Pink said, "you are reducing a lot of data sets that create a risk, [while] enforcing some level of data hygiene."