Contact Centres – 3 Things You Need to Know About GDPR (for starters*)
18 May 2017
DMA intro: GDPR advice needn't all be 'fear, uncertainty and doubt' - and if you're running a contact centre you can't afford it to be.
Fortunately, the DMA and its Contact Centre Council are trying to make sense of what practical steps you will need to take between now and May 2018. So for starters, here are three things you need to know....
You may well have read about the impact of GDPR (the new set of EU data protection rules, due to be written into UK law by May 2018) and excitable comments about the potential fines of 4% of global turnover or €20 million, whichever’s the greater.
But isn’t that all a bit over the top? It’s only going to be the real rogues and miscreants who will need to start working out what the current sterling equivalent of €20m is, surely?
If you operate or use a contact centre – especially if it provides services to external clients – then you are certain to be handling, changing and processing personal data. And for most organisations, the contact centre is where most of their person-to-person interaction with customers now take place. That’s why the DMA’s Contact Centre Council has been considering how contact centres should best square GDPR compliance with optimising customer experience and securing companies’ commercial goals.
So, if you deliver contact centre and customer management services there are 3 things that you need to start thinking about now. Or you might just find yourself on the wrong side of the law or with another multi-million pound problem on your hands…
- Do you Need a Data Protection Officer (DPO)?
Article 29 Working Party (the group working at the EU-level to put ‘flesh on the bones’ of the GDPR texts) say companies need a DPO when “core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale”.
So, what’s “…a large scale”? They don’t say, but they do recommend that organisations err on the side of caution. Also, if you’re a service provider note that the Guidelines state that the need for a DPO applies whether you’re a data controller or processor (i.e. you can’t rely on your client giving you ‘cover’). Therefore, it’s hard to see how you can avoid the need for a DPO if you’re running a contact centre.
The DPO will have a key role in advising their organisation about data protection standards, ensuring compliance to those standards and acting as the point of contact for individuals and regulators with data protection concerns. The DPO will need to be granted the independence and freedom to act and report to the board. You can outsource the DPO function – there are a number of credible providers already in the market – but you’ll still need to demonstrate that you are properly engaging with and supplier managing the DPO provider.
See the Article 29 Guidance: http://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp243_en_40855.pdf
- Controller or Processor?
You will be familiar with the current Data Protection Act’s treatment of
data controllers and data processors. Typically (though there are various interpretive tweaks and variations), if you are providing services then your client will be the controller of their data (they decide what’s done) and you will act as a processor (you do it). This doesn’t leave you free of responsibility in terms of data protection. And many data processors do a better job than data controllers. But, it does mean the greatest onus rests with your client.
Under GDPR the terminology of controller and processor will remain the same, but there is a shift in responsibility.
Simply put, the legal exposure on processors will increase and as a processor you will need to maintain and demonstrate a detailed understanding of what’s required of you, irrespective of the controller’s instructions and opinions. How this can be done isn’t yet entirely clear, but this one of the challenges the DMA will look to address over the next few months.
See ‘Who does GDPR apply to’ here: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/introduction/
- Not Forgetting Insurance
Remember the “4% of global turnover or €20 million, whichever’s the greater fine”? Rest assured that if your client is fined and feels that you have some responsibility, then they will seek to claim on your liability insurance. Debates and discussions about a fair and reasonable level for service provider’s liability insurance are common, of course. But with GDPR they are likely to become more aggressive, so be warned!
What if there is validity in a client’s claim against you and a data protection failing you can be held responsible for – be that due to your organisation’s own actions or a reckless or fraudulent third party – and other clients do the same? Then you may have multiple, possibly multi-million pound, claims on your liability insurance policy. Are you equipped to cope with this?
Is your policy structured on an ‘aggregate’ or ‘each and every claim’ basis? If it’s the former and you have multiple client claims then you may soon find yourself funding claims directly from company funds. And do you have any cyber insurance cover in place? You should.
Have a word with your insurance broker – ideally a professional liability and cyber specialist.
Finally, a couple of reminders:
- GDPR is absolutely being adopted by the UK, irrespective of Brexit and Article 50. And even if it wasn’t, that would probably result in the UK being unable to trade in services with the rest of the EU.
- If you are largely or even exclusively operating in business-to-business markets, GDPR will still apply to your company.
So, there’s potentially plenty to get on with – aside from the day job – but rest assured you’re not alone:
There are two great sources of information on GDPR
and keep checking back, as the content will change and develop over time.
*For starters? Yes. There will be other GDPR questions and challenges coming down the line between now and May 2018. We’ll keep you informed as to the latest thinking on SARs, DPIAs, Profiling, Consent, etc, as it emerges from the Information Commissioner’s Office (ICO) - and from organisations dealing with that guidance.
To see Steve Sullivan speak, alongside other speakers, come to the Digital Content Summit taking place on the 23d of May in London.