How GDPR affects call centers – everything you need to know
After a two-year preparation period, it’s now official: organizations need to ensure that the way they store and process data complies with the new rules outlined by GDPR.
Even though GDPR is now in force, it’s still a hotly-debated topic for companies in every industry. In fact, many of them are still trying to establish what their obligations are under the new rules.
As call centers handle vast quantities of personal data on a daily basis, it is clear that data security requirements need to be at the heart of these organizations’ processes. So, check out our ultimate GDPR guide for call centers and make sure that you too have thoroughly prepared for the changes!
Before we dive in, let’s start with some key facts about GDPR.
What is GDPR?
The EU’s General Data Protection Regulation (GDPR) is a new piece of legislation introduced by the EU that requires businesses to protect the personal data and privacy of European Union citizens throughout the world. The legislation replaces the Data Protection Directive (DPD), as well as the UK Data Protection Act introduced in 1998 and other similar acts throughout Europe. The main goal of GDPR is to strengthen data protection across the EU and beyond, giving EU citizens more control over how their personal data can be used by organizations.
Who does GDPR apply to?
The new legislation applies to any company that processes and stores the personal data of EU citizens, regardless of whether or not they are located in an EU member state. In other words, any organization that comes into contact with EU citizens’ data in any way, wherever they are in the world, must comply with GDPR.
Companies are subject to GDPR if:
- They have a presence in an EU member state
- If the company is not located in the EU but processes EU residents’ personal data.
When did the GDPR come into effect?
GDPR came into force on May 25 this year, after a two-year preparation period. Companies that fail to comply with the new legislation face potentially heavy fines.
What are the penalties for failing to comply with GDPR?
Companies can face fines of either up to 4% of their annual global turnover, or €20 million, whichever is higher. The imposed fine amount is based on the severity of the violation.
What data is protected under GDPR?
GDPR protects EU citizens’ personal data, including any information that can be used to identify a particular person, such as name, address, date of birth and social security number.
In addition, GDPR also applies to web-based data, such as user location, IP addresses and cookies.
The new legislation has brought major changes to the business world, and call centers, which usually deal with a huge volume of data, are certainly no exception.
Below you can find our GDPR checklist for call centers. Make sure to check it out and ensure your call center is playing by the rules.
1. Raise awareness of data protection in your organization
First things first: GDPR applies to everyone in your organization, so it’s best that everyone in your organization is made fully aware of the importance of the new legislation. Make sure to appoint a team to monitor and audit the process of GDPR implementation. This team should thoroughly review how your customer data is collected, stored and processed.
You may also need to appoint a Data Protection Officer to oversee the process. Amongst other things, the Data Protection Officer should be responsible for training and advising your employees on how to be ready for GDPR.
2. Understand the data you collect
GDPR determines how organizations must handle the personal data they collect and store. Bearing this in mind, the first step you should take is to try and understand what data you collect and why you’re collecting it.
For call centers, this is particularly relevant because stricter rules will apply regarding the recording and archiving of customer calls. Therefore, make sure to review and identify how your call center stores customer information. Before you initiate a thorough data track in your company, start by answering the following questions:
For what purpose do I collect customer information? Is the information stored within my organization or externally? Do I need to store all the information I collect? If not, how can I dispose of it in a way that meets GDPR requirements?
Using a number of tech solutions will allow you to easily keep track of the data stored within your organization. For example, Zapier is a great online automation tool to connect different applications. With Zapier, you can keep your data up-to-date, and even transfer it in real time (check out how)!
3. Always ask for customer consent
Call recording is a common call center practice. However, once GDPR comes into force, gone will be the days of carelessly recording customer calls.
For call centers, agents are often required to record customer calls for training purposes. However, after GDPR becomes effective, call center agents will need to specifically request permission from their customers to be able to record calls. Therefore, it is essential to ensure that your staff always pay special attention to obtaining consent from your customers.
4. Make sure customers can easily access their personal data
Under the new rules outlined by GDPR, customers will have the right to access any of their registered data in a structured digital format. Once your customer makes a request, your call center supervisors will have one month to fulfill it.
During the implementation process, make sure to ask yourself the following questions: Am I able to easily track the requested personal data? Are my call center supervisors able to fulfill the request within the given time period? What is the easiest way to fulfill the request?
If you don’t have the answers, then you need to work on your procedures.
5. Prepare for the right to be forgotten
With GDPR in force, companies will be required to remove customers’ personal data upon request without charging them. For this reason, you should have efficient procedures to track customer data, check what information they hold and where it came from. Implementing tech solutions will also allow you to easily delete the requested data.
6. Always notify your customers about data breaches
GDPR will require organizations to report data breaches to the relevant authorities and individuals affected within 72 hours. However, it is worth knowing that notification is not needed if the data breach does not negatively affect the customer in question, and it can be delayed if there are exceptional circumstances. With this in mind, make sure you have the appropriate measures to detect, report and investigate data breaches.
7. Make sure your providers are also GDPR ready
If you operate a call center, it is more than likely that you use external service providers to store and process the customer data you collect. Therefore, it is crucially important to keep in mind that compliance is your responsibility. Check carefully that the external service providers you use are 100% up-to-date and GDPR compliant.
It is a good idea to clearly define the general rules with your service providers at the very beginning, to make sure that everyone is perfectly aware of the shared responsibility.
8. Practice makes perfect
As they say, practice makes perfect. You successfully implemented GDPR in your organization and ensured your employees are up-to-date with the new procedures. Unfortunately, that doesn’t mean your work is done here.
Testing your procedures systematically is equally important. Make sure to evaluate customer calls to ensure your employees are successfully implementing the changes and properly communicating them to your customers. Turning this into regular practice will make all the difference.
Perhaps one of the most confusing areas of the new rules – which is causing headache for many businesses – remains the handling, processing, and maintaining of recorded calls. As we all know, call recording is a common call center practice, with many benefits to a call center. But when it comes to recording agent calls, are you sure that your call center is playing by the rules?
Below we highlighted how the new legislation affects call recording, and how you can ensure that your call center is processing call recording in accordance with these new rules.
Call recording under GDPR
As already mentioned, the main aim of GDPR is to strengthen data protection across the EU, while giving people more control over how organizations can use their personal data. In fact, although you might not think so, voice files are considered personal data as they can include personal information, such as the caller’s name, address or financial information. As a result, call recording is classified as a form of ‘data processing’, and falls under the new rules covered by GDPR.
Although call recording was already classified as a form of “data processing” under the Data Protection Act of 1998 (DPA), GDPR brought some significant changes to the table, and call centers will definitely need to take them into consideration if they plan to continue recording their calls.
Under DPA, tacit consent was assumed as long as customers were informed about the purpose of the recording, and were given the option to opt out. Under GDPR, however, the consent of the individual to be recorded can now not simply be assumed. As a result, the often-used “calls are recorded for training purposes” messages will no longer be enough to gain consent to record agent calls.
With GDPR in force, call centers need to ensure that customers give specific and unambiguous consent to be recorded. Furthermore, organizations will need to justify that their purpose for recording calls fulfills one of the conditions below:
- Individual(s) involved in the call have given their consent to be recorded (oral acceptance during the call, consent after receiving a message, or consent as part of a customer agreement)
- Recording is required to fulfill a contract to which the individual is a party
- Recording is required to fulfill a legal obligation to which the recorder is subject
- Recording is required to protect the interests of one or more participants
- Recording is in the public interest
- Recording is in the recorder’s interest unless those interests are less important than the interests of the individuals in the call
As GDPR is now in force, we trust that your company already ensured that your customer calls recording are running as outlined above. But unfortunately, that doesn’t mean that your work ends there. Besides gaining specific consent from customers, call centers – and organizations as a whole – need to be able to recall any audio files on request, and provide customers with requested personal information within one month of the request.
Furthermore, under GDPR, companies are now required to delete customers’ personal data upon request – known as the ‘right to be forgotten’. As a result, all data – including recorded calls – must be easily available, and if a call center is unable to deliver or delete data within the requested time frame, it could lead to heavy penalties for the organization.
In contrast, many call recording solutions, typically encrypt all information in a call, thus making deleting calls from them costly in terms of time and effort. As such, in order to be able to make recorded calls easily accessible, the implementation of technology tools able to handle these demands is an absolute must.
In addition, once you have a top-notch technology solution in place, don’t forget to educate your staff about GDPR. Addressing GDPR on these two fronts will make all the difference.
GDPR certainly affects most businesses, but there are a number of industries that are more affected than others when it comes to complying with the new legislation. And the telesales industry, which typically relies on cold calling, is not surprisingly one of them.
We already talked about a GDPR checklist and outlined how your call center can process call recordings in accordance with the new rules, so now it’s time to talk about how GDPR affects telesales, and most importantly cold calling.
And if you think that GDPR doesn’t apply to your telesales activities, think again and read on. Below we collected what you need to do to ensure you can continue relying on cold calling as part of your telesales strategy in the post-GDPR world.
Cold calling after GDPR
As we all know, telesales is a service that sells products or services directly to customers via (often cold) phone calls. Of course, in order to be able to contact customers via phone, businesses need to store and process a huge volume of personal data. Now that GDPR came into force, how has the situation changed?
The good news is that cold calling is still permitted, however, the rules of the game have changed considerably. Although the new legislation does not address cold calling directly, having your customers’ personal data may be against GDPR principles.
Before we immerse ourselves in the topic, let’s quickly clarify what’s the definition of personal data under GDPR. As we already mentioned, voice files are considered personal data as they can include personal information, such as the caller’s name, address or financial information.
Consequently, data telesales departments typically rely on, including names, home addresses, phone numbers and email addresses, are all considered personal data.
Six criteria outlined by GDPR
If you want to continue your telesales activities in accordance with GDPR, it’s time to take a look at the six criteria you will need to meet in order to be able to store and process your customers’ personal data. Under GDPR, your business needs to justify that the purpose for storing and processing customer data fulfills one of the criteria below:
- Customers gave you their consent to use their data
- You’re entering into a contract with a customer and you’re processing their data in order to fulfill the contract
- Processing of data is necessary for compliance with a legal obligation
- You’re processing data to protect someone’s vital interests
- You’re processing data to carry out a task in the public interest
- Processing is necessary for legitimate interest, except where such interest is overridden by the customer’s fundamental rights and freedoms
When it comes to cold calling, it’s quite unlikely that criterion 2 to 5 will apply to you. So, your best bet remains focusing on customer consent and legitimate interest.
GDPR and consent for cold calling
With GDPR now in force, gone are the days of hiding pre-checked boxes at the bottom of a webpage. In order to be able to contact a customer, businesses now need to have the customer’s clear and explicit consent.
As outlined by GDPR, when initiating cold calls, you’ll need to notify your customers that you’re storing and processing their data, and ask for their consent to be able to continue to do so afterward. Of course, it’s probably not recommended beginning a phone call with this information, but you’ll need to make sure they’re fine with you having their data, ideally within the first seconds of the call.
GDPR also specifies that customers who previously gave consent to have their data stored and processed can withdraw this consent at any time, and it’s your business’ responsibility to immediately delete the relevant data.
Furthermore, the actual consent itself always needs to be recorded and be available at any time. Call recording is a common call center practice and can be used to make customer consent easily available and transparent. However, bear in mind that GDPR also applies to call recording.
GDPR and legitimate interest – the savior of cold calling
Let’s be honest, obtaining your customers’ consent to contact them before you actually contact them is not an easy task.
And this is where the option of legitimate interest comes into play: the last criterion says that as long as you have a legitimate business interest in contacting customers, and it’s not overridden by your customers’ decision not to be contacted, you’re allowed to call them.
Luckily, selling a product or service is considered a legitimate business interest, making the last criterion in the legislation the savior of cold calling.
For instance, if you call a customer and offer – let’s say – a new service package to them over the phone, then, as long as you’re not misleading or deceiving them, your offer is considered a legitimate business interest.
But while this is, without doubt, a great loophole for telesales departments, it doesn’t mean that businesses can continue to call an endless number of potential customers.
With GDPR in force, telesales departments need to be able to justify that they are calling potential customers who are truly interested in their products or services, rather than just randomly dialing all available phone numbers in their database.
In order to ensure that your cold calling efforts are a legitimate business interest, you’ll need to do a so-called “balancing test”, in other words, a comparison of your business interest against those of the prospects you want to call.
In brief, products and services that are offered via cold calling in a genuine way, without misleading or deceiving customers, are considered a legitimate business interest. Simple as that.
However, in order to make sure that your cold calls based on legitimate business interest won’t harm your customers, you’ll need to put certain “safeguards” in place.
Amongst other things, you’ll always have to provide customers with the opportunity to easily opt-out of continued storing and processing of their data. GDPR also states that businesses can only store and process data that is absolutely necessary for providing their service to its full extent. For instance, if you don’t need to have a prospect’s date of birth, then you shouldn’t ask them for it. Furthermore, always make sure to raise awareness of data protection in your organization, and test your procedures systematically.
The more “safeguards” you implement in your organization, the more balanced your rights to do business will be against the prospect’s right not to be called.
As you can see, GDPR is not the death of cold calls. Just study our tips, allocate enough time to prepare for the new rules (if you haven’t done so already), and you’re good to go!
With GDPR coming into force on 25 May this year, companies hopefully have already finished their preparations for life under the new legislation.
One of the final pieces businesses needed to put in place was to update their service terms and send out emails informing recipients of those updates. And we bet you too received a whole load of these emails, right? It’s amazing how many companies have your data, isn’t it…
Ironically, these unrequested GDPR-related emails are an example of what we are going to talk about in this article: cold emailing, and how the new legislation affects it.
Cold emails are one of the main activities outbound call centers focus on. In this last part of our GDPR guide, we’ll take things further by discussing what GDPR means for telemarketing, and specifically for cold emailing.
As the legislation is now officially in force, there’s no longer any excuse for your business to act recklessly. If you want to continue to use email campaigns as part of your telemarketing strategy, it’s time to check out our pro tips!
Be aware of what “personal data” is
Let’s get straight to the point: although many people think GDPR has put an end to telemarketing, it’s actually still possible to send cold emails with this new legislation in force. However, not surprisingly, the rules of the game have changed significantly.
There’s no doubt that, if you wish to continue your telemarketing email campaigns, you will need to act in accordance with GDPR. Otherwise, your business may face fines of up to €20 million or 4% of annual turnover.
In terms of sending cold emails in a GDPR-compliant way, you will first need to be clear about what “personal data” is. As already mentioned, the term covers personal information such as names, home addresses, phone numbers and email addresses.
Bearing this in mind, you will also need to be both aware of and have a comprehensive understanding of your data collection processes, and how they relate to (and are restricted by) GDPR. This is the first step you’ll need to take before even considering sending out cold emails in the post-GDPR business world.
Rethinking your list-building processes
It’s a common list-building practice for companies to identify potential clients online, search for their contact details, add them to email lists and finally contact them with a product/service offer.
With GDPR in force, however, you’ll definitely need to rethink how you build your email lists – uploading random addresses to your email database is now a gamble that’s not worth taking.
As for bought email lists, you can continue to rely on them, but it is your responsibility to ensure your lists are 100% compliant with the new legislation.
Bear in mind that GDPR is not only about what data you can use, but also about how you can use it. Therefore, understanding why someone’s email address is on your list and how you obtained it should be high on your list of priorities.
Whether you’re collecting data yourself or buying lists, you’ll always need to keep track of how and why you’re storing and processing the data they include. In particular, GDPR specifies that you can only store and process data that is 100% required to provide your service to its full extent, and only for as short as needed. So, if you’re thinking in the long term, regular cleansing and maintaining of your email database is an absolute must.
Be prepared to know as much as you can about your email lists, as chances are you’ll receive “where did you get my email address from?” inquiries. It’s also essential for you to prepare informative replies to such questions in advance, explaining how and why you obtained particular customer data.
To summarize, having a transparent process of storing and processing personal data, and being able to provide information about this process in detail, is an essential step in complying with GDPR.
Clear consent vs. legitimate interest
In order to contact prospects in accordance with GDPR, you either need to receive clear consent from them or have a legitimate business interest when reaching out to them. Both of these options have already been discussed in detail, so we’re not going to talk about them in depth here.
These options can be considered the basis for sending cold emails in the post-GDPR world. Of course, if you have clear consent from customers to call them then there is not an issue, but what about new prospects? Can you have their consent if you’ve never been in touch before? Probably not.
Luckily, in such cases, you can outsmart GDPR by leveraging the option of legitimate interest. As outlined in the legislation, as long as you can claim you have a legitimate business interest in contacting customers, and it’s not overridden by your customers’ decision to not be contacted, you’re allowed to send them cold emails.
Ensure your emails are targeted and appropriate
Since it’s fairly difficult (if not impossible) to gain new prospects’ clear consent before contacting them, we assume the option of legitimate interest is already your best friend in the post-GDPR world.
It’s not that simple, however. As GDPR protects the personal data and privacy of individuals, if you base your email campaigns on the basis of legitimate interest, you’ll need to make sure your customers are likely to benefit from those business-related cold emails.
Legitimate interest is, in fact, one of 6 criteria you’ll need to meet in order to be able to store and process customer data, but using it as a reason for contacting prospects is only legal if your interest is not overridden by prospects’ privacy rights.
Therefore, your campaign targeting has to be as tailored and relevant as possible: you cannot simply just send out unrequested cold emails to random email addresses. Instead, you’ll need to focus on reaching audiences that are genuinely interested in your products or services.
In practice this means that telemarketing departments will need to be able to justify that their cold emails target potential customers who are truly interested in their products or services. Furthermore, you will need to make sure you personalize your emails to the recipient, and also identify the physical email address of the sender.
If you want to contact your prospects in a GDPR-compliant way, you’ll need to have a strong reason to do so, and make sure to explain your legitimate interest to them in your email copy.
Opt-in vs. opt-out
With GDPR in force, customer consent needs to be obtained, normally via opt-in boxes to be ticked. Indeed, the clearest way to obtain consent is to ask customers to tick an opt-in box confirming they are happy to receive your cold emails.
However, bear in mind that pre-checked opt-ins are no longer considered clear consent given by customers. Like it or not, if an individual doesn’t say a clear “yes”, it means “no”.
Our advice here is to use double opt-ins, as they mean your prospects will have to confirm their email address before being added to your email list. Using double opt-ins in telemarketing is, in our opinion, the best way to ensure compliance with GDPR.
Once you received your customers’ consent, you’ll also need to provide them with a clear and easy opt-out option. Don’t forget that GDPR also states that customers can withdraw their consent at any time, and of course this applies to cold emails as well.
Whenever you send out your cold emails, make sure to insert an obvious opt-out box at the bottom of your email. Considering the consequences of breaching the new legislation, it’s better to play it safe, isn’t it?
GDPR clearly represents a significant challenge for any call center. However, if you play by the rules, you can be sure that your call center will still be able to seamlessly continue its daily operations while remaining compliant with the new legislation.
Articles and entries on this page do not constitute legal advice. Should you have any legal questions, please contact your lawyer or legal advisor. VCC Live will not take any responsibility or liability for any damages, disadvantages or losses that may arise from the results of any interpretation of the contents of the blog.