Since the implementation of the General Data Protection Regulation (GDPR) in May 2018, call centres across the UK and Europe have had to adapt their practices to ensure compliance with the new regulations. The GDPR, which replaced the UK's Data Protection Act (DPA) 1998 and the 2003 Privacy and Electronic Communications Regulations (PECR), introduced significant changes to the way personal data can be handled, stored, and used. It also strengthened the enforcement of non-compliance, with hefty fines for businesses that fail to adhere to the regulations.
As call centres typically handle a vast amount of customer data, it is crucial for them to prioritise privacy and data protection. Prior to the GDPR, regulatory bodies such as Ofcom helped establish reasonable call centre practices. However, with the introduction of the GDPR, businesses were required to overhaul their call practices and data collection processes to ensure compliance.
Almost six years after the implementation of the GDPR, it is essential that all aspects of your contact centre remain compliant with the regulations. Failure to do so can result in severe penalties, including fines of up to €20 million or 4% of your company's global annual turnover, whichever is higher.
Despite the time that has passed since the introduction of the GDPR, some businesses may still struggle to understand what is expected of them. To help you navigate the complexities of GDPR compliance, we have put together a comprehensive guide that covers the basic pillars of GDPR compliance that affect the average call centre.
In this updated guide, you'll learn about the key aspects of the UK GDPR that call centres need to be aware of, including:
- The principles of data processing and the lawful bases for processing personal data
- The rights of data subjects and how to handle data subject access requests
- The importance of data minimisation and storage limitation
- The role of data protection impact assessments (DPIAs) and when they are required
- The requirements for data breach notification and the steps to take in the event of a
breach. - The consequences of non-compliance and the potential fines and penalties
By understanding and implementing these GDPR requirements, your call centre can ensure ongoing compliance, protect your customers' personal data, and avoid costly fines and reputational damage.
UK GDPR vs EU GDPR
The UK GDPR closely follows the EU's GDPR, with the UK Data Protection Act (DPA) adapting the rules for the UK's legal system. The UK incorporated the EU's GDPR entirely until the end of 2020, but from January 2021, the UK's GDPR replaced it, with slight modifications to fit the UK's legal framework.
Key points:
- The UK now has two key data protection laws: the DPA 2018 and the UK's GDPR.
- Businesses in the UK and international organisations must ensure GDPR compliance for both EU and UK laws where applicable.
- The EU has adopted an adequacy decision for the UK, allowing personal data to flow freely between the EU and UK until June 2025 when it expires. There is no guaranteed renewal of this facility.
- The UK's GDPR has extraterritorial scope, meaning any organisation or website processing data of UK residents must comply, including EU companies serving UK customers.
- Pseudonymisation and anonymisation of personal data is encouraged in the UK's legislation, offering benefits such as enhanced security and reduced risks for individuals' data usage.
- Protecting data remains extremely important for all UK-based companies to avoid financial losses due to non-compliance.
The UK's GDPR deviates from the EU's regulations in some areas, such as immigration, national security, and intelligence, where exceptions to normal data protection can be made. The Information Commissioner now serves as the enforcer, supervisor, and regulator of the UK's GDPR, replacing the European Board. The age of consent in the UK is lowered to 13, compared to 16 in the EU.
Key Questions About GDPR
Steps to Maintain GDPR Compliance in 2024 within your contact centre.
As we enter 2024, the General Data Protection Regulation (GDPR) remains a crucial consideration for businesses operating contact centres. While the fundamental principles of GDPR have remained consistent since its implementation in 2018, it is essential to review and update your compliance strategies to ensure ongoing adherence to the regulation. Here are seven key areas to examine in your business to maintain GDPR compliance in your contact centre.
1. Processing Data
Before initiating any calls, ensure that you have a valid legal basis for processing personal data. Under GDPR, there are six lawful bases for processing data:
1. Consent – The data subject has given clear, affirmative consent
2. Contract – Processing is necessary for the performance of a contract or in forming a contract
3. Legal Obligation – Processing is essential for complying with the law
4. Vital Interests – Processing is necessary to protect someone's life
5. Public Task – Processing is necessary for a task carried out in the public interest
6. Legitimate Interest – Processing is necessary for your legitimate interests or the interests of a third party, provided it does not override the data subject's rights and freedoms
In many contact centres, calls are made to fulfil contractual obligations. In such cases, seek the explicit consent of your data subjects. Pre-ticked boxes or assumed consent are not considered valid under GDPR. For cold calling, you must demonstrate a 'legitimate interest' in using the data, ensuring that your right to conduct business outweighs the data subject's right to privacy. Adhere to Ofcom guidance, maintain a low threshold for dropped and abandoned calls, and document the source of your data to support your legitimate interest claim.
2. Data Storage
Data controllers and processors must take appropriate technical and organisational measures to protect personal information. This includes:
- Physically secure data centres
- Firewalls implemented on networks
- Ongoing monitoring
- PCI-DSS Compliance
- Encryption
When using a predictive dialer, ensure your service provider understands IT security, the latest threats, and how to protect data in storage and transit. In the case of Hostcomm's cloud contact centre it supports encryption in transit, using TLS 1.3 and encryption at rest in the UK zone of AWS (eu-west-02). If your contact centre is going to store personal data in the EU zone, be aware that the adequacy decision mentioned above is due to expire in June 2025 with no automatic renewal. You must also ensure that the host complies with both UK GDPR and EU GDPR.
3. Call Recording
Call recordings containing personal information require special consideration under GDPR. Assess whether you have a legal basis to record calls and establish robust processes for handling recordings.
Your legal basis for call recording may be based on legitimate interest (e.g., monitoring agent performance) or explicit consent. If relying on legitimate interest, conduct a balancing test to weigh your commercial interests against the data subject's right to privacy. If using consent, employ technologies like Interactive Voice Response (IVR) to obtain positive, proactive consent before recording begins.
Ensure your dialler supports secure storage of call recordings, enables easy retrieval of recordings for data subject requests, and allows for the removal of recordings if consent is withdrawn.
4. Responding to Requests
Under GDPR, data subjects have the right to access, rectify, and request the removal of their personal data. Respond to access requests within one month, free of charge. Remove data within a reasonable timeframe when requested, and rectify data within one month.
Ensure your cloud contact centre allows for quick and easy retrieval of personal data, ideally consolidating all relevant information in one place. Utilise automation, such as integrating your predictive dialer or contact centre with your Customer Relationship Management (CRM) system, to streamline the handling of data subject requests.
5. Removing and Disclosing Records
Use call disposition codes to assess the quality of your data lists and identify records that need to be cleansed from your database. Integrate disposition codes with your CRM system to automate the removal of outdated or inaccurate records, ensuring the information you work with remains up-to-date and compliant.
6. Reporting
Maintain comprehensive records of how personal data is used within your contact centre. Your dialler, inbound contact centre solution, and CRM system should work together seamlessly to provide insights into data usage, including when positive opt-ins were secured or the rationale behind processing data under legitimate interest.
Implement automated reports that can be generated and distributed regularly to key stakeholders, and store these reports for easy access in the event of an audit.
7. The Wider Value Chain
Assess the GDPR compliance, security measures, and understanding of responsibilities of all third-party services, hosted dialler providers, and data suppliers involved in your data processing activities.
As the data controller, you are ultimately responsible for GDPR compliance, even if data originates from an external source. Vet every organisation involved in the data processing chain to ensure compliance and avoid potential liabilities.
By focusing on these seven key areas and regularly reviewing your compliance strategies, your contact centre can maintain GDPR compliance in 2024 and beyond, protecting both your customers' personal data and your organisation's reputation.
Here at Hostcomm, all of our contact centre solutions are created with GDPR requirements in mind, so you can rest assured that the Predictive Dialer you use or are thinking of using from us will be in line with all compliance standards. If you would like to find out more about Ensuring Data Security and Compliance, you can check out our previous blog post, or discover more about what our products offer by getting in touch with our expert team!