If you run an inbound or outbound call centre, you probably already take privacy very seriously. Prior to GDPR, the UK’s own Data Protection Act (DPA) 1998 and the 2003 Privacy and Electronic Communications Regulations (PECR), laid out clear expectations for handling personal data, while regulatory bodies, such as Ofcom, helped to establish the boundaries of reasonable call centre practices.
In May 2018, the General Data Protection Regulation (GDPR) was implemented, making sweeping changes to the ways in which data can be handled, held and used, as well as altering the way in which non-compliance is enforced. With call centres typically dealing with a great amount of customer data, an overhaul in call practices and data collection was required for each business. With GDPR now law, and hefty fines in place for those not following the regulations, it is essential that all areas of your contact centre are compliant. However, with all legal obligations, some businesses will naturally struggle with understanding what exactly is expected from them, so we have put together a comprehensive guide to help you out.
In this guide, you’ll learn about the basic pillars of GDPR compliance that affect the average call centre - what the regulations entail, what you need to do to achieve compliance, and the consequences you could face if you don’t.
Key Questions About GDPR
Steps to Achieve GDPR Compliance
There are seven key areas that you will need to examine in your business to ensure that all forms of data gathered by your contact centre meet GDPR requirements.
1 - Processing Data
Before you call a single number, you need to be confident that you have a legal basis for processing that personal data (i.e. calling it).
Under GDPR, there are six reasons considered valid for processing data (i.e. calling):
1. Consent – The data subject has given clear consent
2. Contract – The processing is necessary for a contract or in forming a contract
3. Legal Obligation – Processing is essential for complying with the law
4. Vital Interests – Processing protects someone’s life
5. Public Task – Processing is necessary for a task that falls under the public interest
6. Legitimate Interest – Processing is necessary for your legitimate interests or the interests of a third party – to such a degree that it outweighs the need for privacy
In many contact centres, you will need to make calls in order to fulfil your part of a contract. To do so, you will need to seek the consent of your data subjects - and, under GDPR, this must be positive opt-in, not assumed consent or pre-filled tick boxes on your website.
When it comes to cold calling, things are a little more complicated. You’ll need to prove that you have a ‘legitimate interest’ in using the data - that is, your right to run a business outweighs the right of a data subject not to be disturbed at a reasonable time. Providing that you’re already calling in-line with Ofcom guidance - with a low threshold for dropped and abandoned calls - and you can show where you got the data, you should be able to make a case for legitimate interest. This will need to be recorded and may need to be presented to auditors or following a complaint.
2 - Storing Data
While the text of the GDPR is frustratingly non-specific, data controllers and data processors must take appropriate steps to keep personal information confidential. This will involve organisational measures (policies and practices) as well as technical systems to protect data. It’s more important than ever to work with a partner that understands IT security.
If you use a hosted dialler, some of your security will be in the hands of your service provider. With that in mind, it’s more important than ever to work with a partner that understands IT security, the nature of the latest threats, and how to protect data in storage and in transit.
Key things to look for include:
● Physically secure datacentres
● Firewalls implemented on networks
● Ongoing monitoring
● PCI-DSS Compliance
● Encryption
3 - Call Recording
An often forgotten about piece of personal data, your call recordings need special consideration to achieve GDPR compliance. The typical call recording will contain some measure of personal information - and you have little to no control over how much personal data your subjects part with.
With that in mind, every contact centre should have a clear strategy around call recordings under GDPR. There are two key areas to assess: whether you have a legal basis to record calls and your processes for handling recordings.
Your legal basis for call recording
Before GDPR, most call centres simply notified data subjects that their calls may be recorded, and assumed consent if the call is allowed to continue. Under GDPR, this isn’t good enough. Your need to monitor agent performance may form the basis of a legitimate interest. However, you need to conduct a balancing test to weigh your commercial interests against your data subject’s right to privacy.
Alternatively, you can record and store calls based on positive, proactive consent. Your dialler can help with technologies like Interactive Voice Response (IVR) that can require a caller to take positive action (by pushing a key) before the recording begins. Alternatively, you’ll need robust processes for storing call recordings securely, disclosing the personal data your agents can seek consent over the phone, and this can be recorded in your dialler database.
Processing call recordings
Storing personal information for any length of time counts as data processing. As a result, information you hold must be provided to data subjects on request, and old recordings must be removed if a customer withdraws their consent. Agent training is an important step, but your underlying technology must support them effectively, making compliance as quick and easy as possible.
4 - Responding to Requests
In addition to giving data controllers and data processors more responsibility, GDPR gives data subjects unparalleled rights to access the personal data you hold - and request that it is removed.
If a data subject requests access, you must provide this free of charge within one month. If a data subject requests removal, this must take place within a reasonable timeframe. If a data subject requests that their data is rectified, this must take place within one month. In addition, data subjects can consent to certain types of processing (for example, email contact), while removing consent for others (for example, calling).
Ease of access to personal data
With strict timelines, responding to requests from data subjects depends on the personal data you hold being easily retrievable. While pulling records from a dialler database is typically fast, this isn’t always the case with other forms of data like recorded calls.
For the sake of maximising efficiency and keeping your costs controlled, make sure your dialler allows you to search data quickly and easily, ideally bringing all the types of information related to a given data subject together in one place.
Automating your processes
In addition, the use of automation can be an effective way to keep on top of requests from data subjects. If your dialler is integrated with your Customer Relationship Management (CRM) system, you can use call disposition codes to trigger automated workflows in an instant.
As an example, you could configure a disposition for ‘disclose data’, which automatically dispatches a copy of the personal data you hold when the call ends. As data subjects become more familiar with their rights and choose to exercise them more often, this can be a useful way to keep on top of your obligations.
5 - Removing and Disclosing Records
It is impossible to improve the value you get from your data lists if you don’t understand their quality. Call disposition codes can help you make sense of how your data translates into call outcomes.
Typically, contact centres focus on the use of dispositioning to assess the performance of agents and campaigns, and present that performance to the centre using a wallboard. However, disposition codes are just as useful in assessing the performance of data lists. In a simple pop-up box, your agents can select the most appropriate call outcome, including options for people who have moved, are deceased, or are otherwise not qualified prospects.
A dialler enables these codes to be easily analysed, so you can uncover patterns that may indicate problems with the data list you are using. For example, a large number of ‘not here’ outcomes may indicate that the list you have paid for is already out of date.
In addition, disposition codes can be fed into your Customer Relationship Management (CRM) system directly. Using these codes, you can then target records that need to be cleansed from the database – keeping the information you and your agents are working with more accurate and up-to-date. And that means a better return on investment by not wasting time and money on records that won’t lead to conversions.
6 - Reporting
GDPR compliance isn’t just about developing and implementing new procedures around personal information. Your real goal is being able to report on every aspect of how you use data, demonstrating your compliance in the event of an audit, complaint, or data breach.
Your dialler, inbound contact centre solution, and CRM system should work seamlessly together to give you the insight you need into how personal data is used. Ideally, this will include clear information on when you secured a positive opt-in (if relevant) or the rationale behind your decision to process data under the legal basis of ‘legitimate interest’.
We’d recommend implementing automated reports that can be built and distributed on a regular basis to key stakeholders. These can then be stored to give you complete insight in the event of an audit.
7 - The Wider Value Chain
Finally, it’s important to remember the other businesses and organisations that may be involved in your use of personal data. This could include third-party services, your hosted dialler provider, and the company you buy data from.
Within your call centre, you decide how and when data is processed. As a result, you are the data controller - even if your list has come from an external source. This leaves you with the ultimate responsibility for GDPR compliance and data protection.
Consider the complete route that data takes from data subjects to your call centre. Every organisation involved in this process should be vetted for GDPR compliance, effective security, and a good understanding of their responsibilities. That way, you’ll avoid the potential disaster of taking responsibility for non-compliant records you were unaware of.
