☰ Menu

I'm writing this on 24th May 2018. The day after the new Data Protection Act received its Royal Assent and the day before the day we've all been waiting for, GDPR implementation day, 25th May.

Don't 24 weeks fly by when you're having GDPR fun?

This week I was intending to provide another bite-sized piece of advice to help you on your way to becoming GDPR compliant, especially from a customer experience perspective. However, as the nation has been floundering under a growing tsunami of last-minute ‘re-permission’ or ‘re-consent’ emails from companies, charities, arts and community organisations for the past few days, I can’t avoid looking at that phenomenon.

The implementation date for the GDPR is only a week away. If you have been following this series of weekly 'Just One Thing This Week' blogs then we hope you're fairly well prepared - or at least know what you still need to work on.

Anyway, give yourself a minor diversion and read about my Cunning Plan...

I've been doing some sums.

The Office for National Statistics (www.ons.gov.uk) reckons there are c.47,000 UK enterprises that employ 50 or more people. Let's use that as a very rough proxy for the number of UK firms engaging in some sort of formal marketing and customer management/experience activities.

The ICO tell us (www.ico.org.uk/media/about-the-ico/documents/2014518/annual_operations_report_201617__pecr_concerns.png) that in 2016/17 they imposed financial penalties totalling £1.9m on just 23 organisations for Privacy & Electronic Communications Regulations (PECR) infringements. The scope, volume and size of penalties imposed on errant businesses by the ICO are all likely to increase in the future (but don't hold your breath for a 4% of global turnover fine). So, let's imagine that next year the ICO's fines total £5m.

We looked at what you need to do help your frontline teams get prepared the GDPR and new Data Protection Act a few weeks ago (www.linkedin.com/pulse/week-19-gdpr-customer-experience-frontline-part-1-steve-sullivan/). So, by now you will ideally have agreed on an approach and the content you will use to inform and up-skill those teams - the public face of your organisation's customer experience.

This may have entailed addressing issues around

  • how you acquire, process and retain personal data, or
  • how to recognise and fulfil customers' data rights

If you have followed this series of weekly 'GDPR and the new Data Protection Act (DPA) for Customer Experience people' since they started then you could probably do with a break. And maybe a bit of a sanity check? We have said before that the GDPR and new DPA needn't be cataclysmic or devastating - for most organisations at least. But maybe it's all still needlessly complicated? So, how could we tell?

Well, in my experience if you want to get a sense of clarity about an issue, then ask someone from the Netherlands.

Although it may sometimes sound a little brutal to British ears, a Dutch man or woman will invariably give a simple, direct assessment of a situation. So, when Donna Dodsworth of our friends at the Contact Centre Panel forwarded us an article by Julien Spronck and Meryem Sabotic-Deniz of the Dutch arm of accountants BDO (looking at the food sector, but that's not especially relevant) we were intrigued to see what they thought about the GDPR.

Let me ask you a question.

As champion of your organisation's customer experience and (for now, at least) the person responsible for ensuring you comply with the GDPR and new Data Protection Act, are you sending prospect and customers' personal data outside of Europe solely to circumvent the laws on data protection?

No, of course not! I think.

But if any of your technology partners or services transfer, save or process personal data outside of the EU or EEA (European Economic Area), then you need to be clear about the legal basis on which you are doing this. And if you have intra-company transfers of personal data outside of the EEA and your organisation doesn't have Binding Corporate Rules (BCRs www.ico.org.uk/for-organisations/guide-to-data-protection/binding-corporate-rules/) in place - which is unlikely as BCRs are tricky and expensive to establish - the same stipulations apply.

Like a lot of aspects of the GDPR, the key consideration here is transparency - let your customers know what you'll do with their data and where. So before you do that you'll need to a) know where the personal data is going, b) that you are confident that it will be safely and securely treated.

So whether personal data transfers outside of the EEA are being carried out by your CRM provider, email or SMS despatch solutions, fulfilment providers, for fraud screening or data profiling, in most cases you will need to explain this to the data subjects whose personal data is being affected. If you have a good reason for doing this and can be confident that your overseas partner will handle the data appropriately, then there's no problem.

If not, then you'll need to take a long hard look at your 'customer experience infrastructure'.

Life's a lot simpler if you are transferring and processing data in countries that the EU has ruled to display 'adequacy' in terms of personal data protection. However, the current list is rather eclectic and includes a mixed bag of countries: Switzerland, Andorra, Faeroe Islands, Guernsey, Jersey, Isle of Man, Argentina, Canada, Israel, New Zealand and Uruguay. Unfortunately, the USA is only 'partially adequate' and you will be reliant on your partner/supplier overseas company to gain Privacy Shield (www.privacyshield.gov) status; it's not a given.

Finally, if you are a provider of services (a data processor) which requires client personal data to be transferred out of the EEA then this is another GDPR-related concern you will want to add to a growing list. See our blog from a few months ago: www.channeldoctors.co.uk/blog/29-technology-providers-it-s-time-to-wake-up-to-the-gdpr

Whether you have just started your preparations for the GDPR and the forthcoming new Data Protection Act or you feel it's all sorted, you need to ensure your most important stakeholders - your frontline staff - are prepared. Your customer facing teams mark where your customer experience ambitions are either realised or frustrated. Whether dealing with customers face-to-face in store or in the field, or remotely in a contact centre, they are the face of your organisation. As such they will be the first port of call for customers looking to exercise their new and enhanced rights.

As a bare minimum, you need your frontline colleagues to:

  • Recognise a data privacy-related customer request (a Subject Access Request, the Right to Erasure, or a 'how do you use my data' question)
  • Know what to do as a result
  • And ideally, their understanding should be based on a confident understanding of your organisation's approach to handling personal data, customer data journeys and so on

How you choose to train your people is, of course, a question you are best placed to answer.

If you have an established processes of briefing, training and knowledge management then just make sure you’ve booked your ‘slot’ for new or updated data protection training. And if you want to do this from a customer-centric perspective, then why not start with sharing with your colleagues what their new and enhanced rights will be (www.ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/) before getting into the process detail of what they should do in their ‘day job’ as employees. Conversely, if you never train your staff (yes, there really are plenty of organisations out there that never do!) then a day's classroom immersion into the minutiae of EU and UK data privacy regulations either isn't likely to help your colleagues or staff very much - or lead to lots of unintended consequences...

If you’re feeling ill-prepared as to how to design and deliver data protection training for your front line teams then help is at hand. The DMA Contact Centre Council (www.dma.org.uk/communities/contact-centres-council) is hard at work preparing a contact centre training guide, which should be ready in the relatively near future. In the meantime, though, you can make a start by reviewing your GDPR preparations to date and working out what you most need to share with your front line colleagues.

And in a future ‘Just One Thing This Week’ blog we’ll consider how to retain and enhance your colleagues’ data protection knowledge and skills.

Week #18 of your preparations for the GDPR (or the planned Data Protection Act 2018 in the UK) and its impact on your organisation's customer experience. So, how's it going?

My guess is that - unless your organisation has a strong Compliance function, which had already done plenty of planning for the GDPR before you got involved (some of which you may well have since disagreed with!) - you are now being treated as the company expert and 'go-to' person for all things data protection. As I assume you have plenty else to be getting on with in your own world of the Customer, then you probably don't want to become the GDPR guide for everyone else.

If that's the case then your colleagues who are responsible for other functions (Finance, HR, etc) may benefit from the some high-level guidance. Why not try sharing these 4 pointers for starters:

  1. If your colleagues are concerned about GDPR and a new Data Protection Act then for most organisations the biggest commercial and regulatory risk is that of a data breach. If they have concerns about the technical and 'social' security of personal data they should address those first
  2. Not all data your colleagues hold and process is personal data. Your fulfilment house's good inwards address isn't personal data. Anonymised purchase data isn't personal data.
  3. They should think about the new and enhanced rights of individuals - be they employees, clients, suppliers, clients' customers, or whatever - that the GDPR brings (www.ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/ ) and how they might impact on their function in the organisation
  4. Help is out there! Nearly every trade body and professional membership organisation has developed GDPR guidance tailored to its specific audience. This is often only available to members of those bodies and - just like in the world of customer experience - not all the advice will be absolute and incontrovertible, but your colleagues gaining an understanding some of the issues and approaches adopted by their peers is a useful start to the process 

What's black and white and never read? Your Privacy Statement, that's what!

(or at least that has traditionally been the case - but things may now be changing)

As you'll know, one of the key requirements of the GDPR and the new Data Protection Act is that organisations keep their prospects and customers ('Data Subjects', in legalese) informed. In fact, the first of the 8 Rights listed by the ICO is this one; the Right to be Informed.

An organisation's Privacy Statement or Notice is typically the best way for an organisation to explain how it will process data. Traditionally, from a customer experience perspective, the Privacy Statement has been irrelevant. They're lengthy (on average over 2,500 words - though iTunes' peaked at 20,000 words in 2015) and no-one reads them. But in future people increasingly will. And if it's not your prospects and customers reviewing your Privacy Statement, then rivals and and a growing band of people looking to make a living out of challenging brands' data privacy compliance will!

If you're grappling with ensuring your organisation comes to terms with the customer experience-related requirements of the GDPR and new Data Protection Act and have been following the advice in these weekly blogs, then by now you have probably had lots of conversations, filled a few white boards and even changed some processes and customer journeys. 

One of the 8 rights of data subjects (that's prospects and customers to you and me) is that of Data Portability www.ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-data-portability/ 

In simple terms it requires that you support and allow the easy transfer of the personal data you hold on a data subject to a new service or product provider on their instruction. This right has generally got less coverage in the lead up to the implementation of the GDPR and new Data Protection Act than two other closely related rights - to Erasure (to be forgotten) and the right to Access (Subject Access Requests). 

The Right to Erasure is one of the 8 key rights for data subjects enshrined in the GDPR and the Data Protection Bill (www.ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/). If you are responsible for ensuring both data protection compliance and a good customer experience, then how to manage the right to erasure - more commonly referred to as the right to be forgotten - needs to be high up on your list of GDPR challenges to address.


...but there can - and must - now be a free download.

Over the past few weeks we've identified a lot of tasks and questions for you to consider as you chip away at preparing for the GDPR and the new Data Protection Act. The amount of work or change these 'bite-sized' activities are likely to lead to will vary greatly from organisation to organisation.

However, if your firm's marketing and acquisition of new prospects with future marketing permissions is heavily dependent on online content downloads (white papers, guides, infographics, etc) then the requirements of the GDPR may have a radical impact on you. 

We use essential cookies to provide necessary website functionality, we would also like to use additional cookies for additional functionality whichrequire third party cookies to monitor your visit, please accept or reject to inform us of your preference.