Note: The information contained in this document does not constitute legal advice. Reference the EU GDPR website for official information regarding the new regulations.
Coming in May 2018, the General Data Protection Regulation (GDPR) will implement the biggest change to European privacy rules in 20 years, with the aim of protecting European Union citizens’ privacy. Requirements include strong individual consent, 72-hour breach reporting and high fines to encourage compliance. Naturally, the law holds all EU-based companies accountable for compliance, as well as anyone who markets to, processes or stores data of EU customers, including US companies. Here are seven things contact centers need to know about the GDPR:
#1: If you have even a single EU customer, you will be held responsible for GDPR compliance
The point of the GDPR is to protect EU private citizens’ identity rights and personal data. The law applies to any company, including American and international entities, that processes or stores information relating to EU citizens, including names, email addresses, any personally identifying information. If your contact center has even a single EU-based customer, you are accountable for complying with the GDPR.
#2: You have 72-hours to report a data breach
Contact centers hold a wealth of personal information about customers and data breaches spiked 29% in the first six months of 2017, according to Identity Theft Resource Center and CyberScout. These breaches have impacted 172 million American and international records, including records from US-based businesses like Equifax, Uber and Yahoo! The GDPR is the EU’s response to protect its citizens and require companies to report data breaches within 72 hours. This will likely be the first of many laws passed internationally to bolster cyber security.
#3: Fines for noncompliance can ring up to $21.6M (or higher)
The EU is taking privacy and protection of that information extremely seriously and to incentivize companies to play along, the GDPR imposes harsh penalties on any company that violates the new regulations up to $21.6M or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
#4: Customers call the shots on which personal data businesses can collect and store
In addition to explicit consent, the GDPR requires all companies abide by customers’ preferences about what personal data is collected, used and stored. Individuals may at any time request that a company returns their data or remove their personal data from company databases.
#5: Personal data is defined more broadly than SSNs in the GDPR
When we think of personal data in the contact center space, we normally think of Social Security numbers, health data or credit card information. The GDPR broadens the definition of personal data to anything that “directly or indirectly identifies or makes a data subject identifiable.” Given the nature of contact centers, it’s likely you will need to expand your security to meet requirements by May 2018.
#6: Customer consent comes first (no more “opt out” communications)
As part of the new, stricter consumer consent laws, the GDPR requires companies to use “opt in” communications to customers instead of the typical “opt out” channels like marketing emails or RSS feeds. This means less junk mail for consumers but it will also force many companies to adapt their communications strategies accordingly.
#7: You have until May 25, 2018 to improve your security
While it’s tempting to capture and use as much data as possible to build a better customer experience with your product or contact center, operating in the grey area may land you in trouble. Here are our parting tips to help you get started:
- If you don’t need it, remove it
- If you don’t need access to, don’t have it
- Know where personal data is
- Know what is done to personal data and by whom
- Protect, protect, protect and have a plan for when protection fails
- Don’t work toward compliance, work toward being as secure as possible (but use compliance as a guide to help you get there)
Talkdesk is fully aware of GDPR and the impact it has on our customers, since it applies to all companies that process European Union (EU) citizens personal data. To that end, Talkdesk is committed to having a platform that is GDPR compliant when the regulation becomes enforceable.
GDPR - Talkdesk Approach
1 - Individuals rights
GDPR is about transparency with data subjects and being able to comply with individual rights. Talkdesk already has several features on its platform that allows customers to address some of these individuals rights, but we developed new features and processes to allow our customers to address all of the rights of private individuals.
2 - Supply chain
Talkdesk aims to offer a product that is GDPR compliant. To do that, the partners and providers that we rely on must also be GDPR complaint. In order to continue providing our core services, we will be working with providers that give total assurance that they are GDPR compliant on the 25th of May, 2018.
3 - Privacy by design
Privacy concerns are not new to Talkdesk and we embrace privacy by design. In every new product/feature that we develop, we consider all privacy concerns from the initial design phase.
4 - Data location
Talkdesk uses data centers located in the USA and Ireland and is Privacy Shield Certified. We also allow our customers to store and manage call recordings directly in their own server.
5 - Security
Talkdesk aims to protect our customers’ data and we will continue with that focus. We are also using GDPR to improve some processes, like data breach notifications, so our customers are aware of any breach as soon as possible.
6 - Agreements
Talkdesk has prepared an addenda to existing agreements to include the GDPR processor duties. You can request that Talkdesk signs it by emailing email@example.com
7 - DPO
Talkdesk has already designated a Data Privacy Officer (firstname.lastname@example.org)
If you have any questions or concerns please reach out to your CSM or contact our support team: email@example.com