by Martin Hill-Wilson – Consultant, Brainfood

Protection seems an obvious thing to talk about in relation to GDPR – it’s in the name, after all.

But it’s worth a closer look, for a few reasons. First, who is doing the protecting? On the face of it, it’s the enforcer of the legislation itself, which will be the relevant (and pre-existing) national data protection authority. But GDPR also confers significant responsibilities for protection onto the processors and controllers of data.

Contact centres can be defined as either processors or controllers – it depends on how they operate – but GDPR will increase the legal exposure of processors to the extent that it’s unadvisable to lean on the lesser categorisation as a defence.

Second, before a contact centre can protect customers’ personal data, it needs to know everything about it. Where is it all? How is it being used? Who has access to it? These are not simple questions to answer. Digital data flows have never been more complex, opaque and widely distributed. But if you don’t know where your data is, you can’t even begin to guarantee its protection.

Knowing Data, Knowing EU

Here are some examples of why GDPR means you need to get to know your data in order to protect it.

Get to know:

  • The definition of personal information

Starting at the beginning, GDPR broadens “personal information” to mean any data that can be used to identify a person. This includes data garnered from online behaviour; derived by combining datasets; or inferred by using algorithms to analyse metadata in order to profile a person for, say, job suitability.

  • How widely the protective net is cast

GDPR doesn’t just protect data pertaining to EU citizens. It extends to anyone physically present in the EU – nationality is irrelevant. What’s more, it still applies to their data even if it’s stored outside the EU.

  • Where the data is and how it’s being used…

Organisations will be required to provide evidence of how customer data is being used, where it is being stored and processed at any given point in time. Think about the sum total of the data held on mobile devices; how frequently they go missing; how frequently they’re used by friends and family. Think too about the cloud. It’s accessible anywhere by design. From home or the office; inside or outside the EU.

  • …so you can comply with the right to erasure.

GDPR allows individuals to request the deletion of their personal data. The circumstances under which they’re entitled are broad enough to include the basic withdrawal of consent. Consequently, a contact centre will have to ‘know how and where call recordings are stored, ensuring they can identify, access and, if necessary, delete any recording or record that includes a customer’s personal information.’[1]

Going beyond compliance

By tying the penalty for non-compliance to company earnings, GDPR is effectively creating means-tested penalties. It will no longer be feasible to consider them as a cost of doing business.

As an example, TalkTalk’s £400,000 fine for their 2015 data breach would, under GDPR, have been roughly £72 million. And that’s without placing a figure on the reputational damage.

Any business hoping this issue will go away is kicking a hugely expensive can down the road with ‘PR disaster’ spray-painted on the side.

But this needn’t be a festival of feet dragging and begrudging compliance. GDPR can be reframed as a huge opportunity, because it fundamentally reshapes the relationship between companies and consumers. You no longer own their data – it’s yours to look after, on loan and on trust. Any company that meets or exceeds those expectations – that gets to know its data and ensures its protection – will, in the process, gain greater customer trust and loyalty.

For more information, download the whitepaper: GDPR – How it changes your contact centre.



[1] http://www.continuitycentral.com/index.php/news/erm-news/1996-the-impact-of-the-gdpr-on-contact-centre-operations


Leave a Reply

Your email address will not be published. Required fields are marked *