The final countdown to GDPR: here’s a checklist for call centersReading Time: 5 minutes
Everyone is talking about GDPR, the EU’s General Data Protection Regulation that comes into effect on 25th May this year. The new legislation will bring major changes to the business world, and call centers, which usually deal with a huge volume of data, are certainly no exception.
GDPR aims to strengthen data protection across the EU, while giving people more control over how organizations can use their personal data. It will also introduce heavy penalties for organizations that fail to comply with the new legislation. For more information, read our previous blog post on GDPR.
As the final countdown has already begun, the issue is more relevant and urgent than ever. Check out our GDPR checklist, and make sure your call center is playing by the rules.
1. Raise awareness of data protection in your organization
First things first: GDPR applies to everyone in your organization, so it’s best that everyone in your organization is made fully aware of the importance of the new legislation. Make sure to appoint a team to monitor and audit the process of GDPR implementation. This team should thoroughly review how your customer data is collected, stored and processed.
You may also need to appoint a Data Protection Officer to oversee the process. Amongst other things, the Data Protection Officer should be responsible for training and advising your employees on how to be ready for GDPR.
2. Understand the data you collect
GDPR determines how organizations must handle the personal data they collect and store. Bearing this in mind, the first step you should take is to try and understand what data you collect and why you’re collecting it.
For call centers, this is particularly relevant because stricter rules will apply regarding the recording and archiving of customer calls. Therefore, make sure to review and identify how your call center stores customer information. Before you initiate a thorough data track in your company, start by answering the following questions:
For what purpose do I collect customer information? Is the information stored within my organization or externally? Do I need to store all the information I collect? If not, how can I dispose of it in a way that meets GDPR requirements?
Using a number of tech solutions will allow you to easily keep track of the data stored within your organization. For example, Zapier is a great online automation tool to connect different applications. With Zapier, you can keep your data up-to-date, and even transfer it in real time (check out how)!
3. Always ask for customer consent
Call recording is a common call center practice. However, once GDPR comes into force, gone will be the days of carelessly recording customer calls.
For call centers, agents are often required to record customer calls for training purposes. However, after GDPR becomes effective, call center agents will need to specifically request permission from their customers to be able to record calls. Therefore, it is essential to ensure that your staff always pay special attention to obtaining consent from your customers.
4. Make sure customers can easily access their personal data
Under the new rules outlined by GDPR, customers will have the right to access any of their registered data in a structured digital format. Once your customer makes a request, your call center supervisors will have one month to fulfill it.
During the implementation process, make sure to ask yourself the following questions: Am I able to easily track the requested personal data? Are my call center supervisors able to fulfill the request within the given time period? What is the easiest way to fulfill the request?
If you don’t have the answers, then you need to work on your procedures.
5. Prepare for the right to be forgotten
With GDPR in force, companies will be required to remove customers’ personal data upon request without charging them. For this reason, you should have efficient procedures to track customer data, check what information they hold and where it came from. Implementing tech solutions will also allow you to easily delete the requested data.
6. Always notify your customers about data breaches
GDPR will require organizations to report data breaches to the relevant authorities and individuals affected within 72 hours. However, it is worth knowing that notification is not needed if the data breach does not negatively affect the customer in question, and it can be delayed if there are exceptional circumstances. With this in mind, make sure you have the appropriate measures to detect, report and investigate data breaches.
7. Make sure your providers are also GDPR ready
If you operate a call center, it is more than likely that you use external service providers to store and process the customer data you collect. Therefore, it is crucially important to keep in mind that compliance is your responsibility. Check carefully that the external service providers you use are 100% up-to-date and GDPR compliant.
It is a good idea to clearly define the general rules with your service providers at the very beginning, to make sure that everyone is perfectly aware of the shared responsibility.
8. Practice makes perfect
As they say, practice makes perfect. You successfully implemented GDPR in your organization and ensured your employees are up-to-date with the new procedures. Unfortunately, that doesn’t mean your work is done here.
Testing your procedures systematically is equally important. Make sure to evaluate customer calls to ensure your employees are successfully implementing the changes and properly communicating them to your customers. Turning this into regular practice will make all the difference.
Good luck with implementing GDPR in your organization. We’ll have another blog article in the next few days, so watch out for it!
Articles and entries on vcc.live/blog do not constitute legal advice. Should you have any legal questions, please contact your lawyer or legal advisor. VCC Live® will not take any responsibility or liability for any damages, disadvantages or losses that may arise from the results of any interpretation of the contents of the blog.