Posted on: 21/04/2017
With just over 12 months to go until the implementation of the General Data Protection Regulation (GDPR) directive, contact centres across Europe must consider how these far-reaching changes will affect how they handle and protect the data collected from customer communications. The legislation covers all areas of consumer data and includes new penalties for those failing to comply, meaning financial implications for businesses along with operational considerations.
Contact centres are understandably focussing on PCI DSS compliance and the constant spotlight on payment card security, it is crucial to look after customer’s data to maintain their trust and ongoing business. However, there are many more elements to GDPR that you have to be ready for, to not only meet the requirements for the law, but also run your business as efficiently as possible.
GDPR comes into effect on 25th May 2018 and will pave the way for a digital single market, repealing the current Data Protection Directive. This will mean that data collectors and processors will have new compliance obligations including:
Consent, Breaches and Subject Rights – GDPR aims to strengthen the rights of individual data subjects with access to, corrections of and objectives to use of personal data. Consent from subjects must now be easy to give, simple to withdraw and must be explicit for sensitive data. DPA must be notified of any breach where feasible, within 72 hours of awareness.
Financial Penalties – The DPA will now impose fines for some infringements up to either 4% of the data collector’s annual worldwide turnover or 20 million euros.
Accountability and Privacy by Design – Data controllers must demonstrate their compliance by maintaining documentation, conducting data protection impact assessment for high-risk processing, and implementing data protection by design and default.
Data Processors – Written records of processing activities must be completed and a trained Data Protection Officer must be designated where required, dependent on the company size.
Binding Corporate Rules – GDPR recognises gold standard BCR for controllers and processors to legitimise intra-group international data transfers. The BCRs must be legally binding and apply to all employees involved in intra-group transfers.
With just a year to go, now is the time to look across your business and ensure you get in shape for the deadline. We recommend the following steps to assess your readiness for GDPR:
Prepare for Data Security Breaches
Create a framework of clear policies and procedures to efficiently notify and resolve breaches.
Establish a Framework for Accountability
Establish trained staff to consistently monitor data processing and review high risk activities.
Embrace Privacy by Design
Gain a competitive advantage by ensuring privacy is embedded into new processing systems and products.
Analyse your Use of Personal Data
Ensure your current consent documents and processes are informed, clear and always upholding the data subject’s rights.
Check your Privacy Notices and Policies
Ensure your notices are easily accessible and use clear language.
Know your New Obligations as a Data Processor
Put your customers’ minds at ease by understanding and implementing the new regulations.
About Red Box Recorders:
Red Box Recorders has been capturing critical communications data for over 25 years with a commitment to not only ensuring compliance but drawing valuable insight from captured data. They are committed to the essential simplicity of installation, ease of use and empowering customers to exceed their goals. To do this they provide future-thinking, secure and strategic cross-platform communication capture solutions fuelling you to keep moving forward, by never standing still.
Author: Andrew Ford, Red Box Recorders CMO