[BreachExchange] Understanding the impact of GDPR on the customer journey
Audrey McNeil
audrey at riskbasedsecurity.com
Fri Apr 20 20:25:07 EDT 2018
https://www.itproportal.com/features/understanding-the-
impact-of-gdpr-on-the-customer-journey/
When the GDPR comes into effect on the 25 of May, data will no longer be an
asset that companies simply harvest from customers and end users. It will
become an asset for the end user as well. Among many other things, the new
regulation will give customers and end users more access control to their
data than ever before.
The new regulation also formalises the concept of the data subject (the
customer/end user). And with this will come the right to access, to be
forgotten, to data portability, to privacy by design and the obligation to
notify breaches. The exact implications of these new rights are still to be
clarified but what is clear is that the GDPR will give customers and end
users more power to control how their data is used and what it is used for.
For many organisations, this is uncharted territory. And with the huge
fines for non-compliance, there is no room for error.
Navigating a complicated landscape
The GDPR poses many challenges, especially for businesses like contact
centers where the main business processes include gathering and processing.
And when you consider the right to be forgotten that comes with the GDPR,
you can understand why the new regulation poses a significant problem in
relation to how many contact centres are set up. For example, the multiple
data recording and CRM systems that operate simultaneously in contact
centres don’t quite line up with the concept of “forgetting” that comes
with the right to be forgotten.
The Right to be Forgotten is not just a technical challenge. This new right
clashes with the contact centres’ various evidence keeping requirements.
Organisations may ask themselves what to do if the same information must be
deleted and kept as evidence. This creates a twofold problem -
organisations must record or delete the right amount of information on
interactions to maintain the delicate balance and ensure compliance.
A new relationship between centres and customers
Since the new regulation allows for more control over their data as well as
more visibility on how it’s gathered, stored and processed, the customer or
end user can ask an organisation to hand over any data they have concerning
them or to delete it. The regulation will also impose “privacy by design”
and mandatory breach notification within 72 hours of the breach.
This increased transparency will transform the customer journey but also
impact on customer expectations when interacting with organisations. For
instance, all end users will have to provide consent to be recorded. And
although the regulation is not entirely clear on if this must be explicit
or implicit, failure to comply would still be considered a breach.
Heavily sanctioned breaches
The fines imposed if contact centres fail to comply with the regulation are
heavy ones. There are two tiers of administrative fines. They can reach €20
million or 4 per cent of the annual global turnover – whichever is higher.
Add to that the loss of brand reputation. The fine will be administrative
which means they will be discretionary rather than mandatory. They will
also be imposed on a case-by-case basis. GDPR aims to have effective,
proportionate and dissuasive fines.
Adding to the fines, GDPR gives individuals the right to individual
compensation when a material and/or non-material damages occurs after an
infringement of the GDPR. In other situations actions on behalf of
individuals can be brought by not-for-profit bodies. In case of large-scale
infringement firms will face mass claims which could have a big impact.
Such potential fines will empower the customer when interacting with a
contact centre. The customer will be king, or at least closer to being one.
The GDPR and customer trust
The new requirements imposed by the GDPR will foster trust between
customers and organisations. The idea that a customer has actually given
consent to the use of his data is an empowering one. Such good dispositions
will enable trust to further their relationship with customers and enter
into a more.
With the ‘right to data portability’ organisation now have a way of
showcasing their transparency and honesty. This right imposes on firms to
provide to an end user any information he would have previously provided.
Doing so rapidly will foster a positive customer experience y demonstrating
efficiency.
The GDPR and ‘privacy by design.’
Another novelty the GDPR brings is ‘privacy by design’. From the GDPR on,
random compliance checks will no longer be enough. Organisations will be
expected to ensure that privacy is an integrated component of every facet
of their products and services. This rights also imposes data minimisation.
Firms may only collect necessary data.
Firms will have to go through a process of evaluation and understand the
personal data they are storing. They will also have to know where it is
coming from. Their action will be twofold. They will have to
comprehensively analysis their databases as well as start a cross-section
dialogue between teams within the organisation. GDPR would give
organisations an overall picture of the quantity of data currently stored
and used by the organisation. This will allow you to get rid of the data
you don’t need and it will make it easier to create new policies regarding
which data to store in the future.
The mere idea of GDPR brings anxiety and trepidation to many. This
shouldn’t be the case. To my opinion, judging from my experience, the GDPR
could be an opportunity to redefine how value is derived from interactions
with end users. By fostering the right processes, GDPR could, in fact, turn
out to be an opportunity to enhance the customer journey. This would, in
turn, enable the relationship between end users and the organisations to
reach new levels of satisfaction.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180420/4578babc/attachment.html>
More information about the BreachExchange
mailing list