One year on has the GDPR made it harder or easier for businesses to make a connection with their customers – and are the regulations about to become a global data protection standard?
At this year’s EmpowerCX Europe, Sitel put the impact of the General Data Protection Regulation (GDPR) under the microscope. Sitel Group’s European Data Protection Officer and General Counsel John Hayward sat down with Chris Knauer, Chief Security Officer, Sitel Group, and subject matter expert Lawrence Brown, Partner, Information, Communications and Technology Simons & Simmons LLP, to discuss life after GDPR. How has it already changed the way businesses operate; will similar regulations be adopted by other nations; and from a customer experience perspective, how can companies continue to deliver greater levels of personalization while showing even greater respect to data privacy?
When the GDPR became law on May 25, 2018, it introduced strict rules around data transparency and individual privacy for any organization anywhere in the world that offers goods or services to European citizens and in doing so processes or holds their personal information.
As well as large fines for any company that knowingly misuses its customers’ data, it also introduced financial penalties for businesses that suffer a data breach that could have been prevented, or that isn’t reported within a 72-hour window.
“Thinking back almost two years ago, when we were working through the GDPR compliance program, we were fairly optimistic,” begins Hayward who, in line with the regulations was installed as Sitel’s dedicated GDPR DPO. “But by May 25, I didn’t know where I was.”
Part of the reason for this is because GDPR is not a playbook a company can follow. Each organization needing to comply with the regulations has had to find their own way. But after a year, if anything the lack of instruction has actually been a benefit. “The laws have actually simplified what would otherwise be a very complex subject,” continues Hayward. “All things like the GDPR are trying to do is find balance between personalization and privacy and doing it in a workable way so that people can still do business.”
It’s a point on which Lawrence Brown agrees. “The GDPR sets objectives. What it absolutely doesn’t do is tell you how to meet them,” he says. “It’s about putting the customer in control and avoiding situations where you surprise them because that’s when you may get a complaint. I think if you’re able to do that and you are able to be transparent in the right way then you can minimize any data protection risks.”
As it’s a set of regulations applicable across the whole of the European Union, life after GDPR has meant harmony across an entire continent. Whereas before each member state in the union had its own, sometimes contradictory rules regarding the collection and use of data, there is now a single set of regulations to follow to conduct business with 23 different countries.
This is one of the reasons why Sitel has taken the approach that GDPR should be embraced as an opportunity to reconnect with customers and build new, closer relationships with transparency and trust as the foundation. The other reason is that the rules as they currently exist offer the clearest description of best practice.
Indeed, over the past 12 months a host of other countries, including Australia, New Zealand, Mexico and Canada, have enacted similar legislation.
“Where Europe has gone, others have followed on data protection,” Brown states. “And it is seen in some quarters as a means of enabling trade. If data can flow freely, so can the cash that comes with the trade. So I think that is the way things are going.”
What’s more, several U.S. states are also in the process of taking a leaf out of the GDPR’s book. This could lead to a situation where organizations that only do business domestically are going to have to reexamine their approach – and that of their business partners and suppliers – to handling data and to cybersecurity; an issue that can be severely overlooked in the race to comply with data use and storage.
“If you look at the technology of technology, we have firewalls and standard antivirus. Everything has become much more secure,” begins Knauer on the topic of protecting an organization from being breached. “But the technology of humans has not really improved over the last 20 years. That’s why the contact center can be seen by attackers as the soft underbelly of a company.”
Therefore, from the perspective of our customers and vendors, the biggest risk to being exposed by attackers is phishing or social engineering. “And that’s where really getting into the training factors with your contact center reps when it comes to security awareness is really important,” Knauer adds.
Depending on the sensitivity of the type of business, this training could also mean recalibrating its approach to customer experience. “In contact centers you have to do NPS and CSAT scoring with your agents to really improve the performance. Part of that is making sure the customer has been delighted,” Knauer continues. “But if you need to authenticate callers because of the type of business you’re in, sometimes it will be in conflict.”
Without the right approach to training, a contact center worker could be taken off script because of the apparent emotional state of the caller and as soon as the authentication process is halted, there is a possibility for social engineering. “That’s why there is a balancing act that has to take place between your customer success programs and the security of those programs as part of the training,” Knauer stresses.
Just as important as training is having the right company culture and management structure in place to support frontline workers. “You have to have an organizational culture that empowers employees,” says Hayward. “Your people need to feel comfortable. If an agent encounters something and they think it might involve a data breach but they don’t want to raise it because of the leadership approach or their coach, that’s not the culture you want.”
Another issue relating to security and data protection can be the types of applications that some organizations have built for their contact center environment. “One of the things we’ve found, especially with companies in the dotcom space, is they haven’t put as much investment into the security of the programs they use in their contact centers that they do for their applications for mobile or the web,” explains Knauer. “So what happens is call center reps have access to information that they probably shouldn’t have access to. And that just creates opportunities for fraud that should not even happen.”
Knauer believes that within the next several years, technologies that can authenticate customers pre-contact will be mature and robust enough to roll out on a commercial basis. But in the meantime, businesses need to be in constant dialogue with their partners to understand and mitigate risks.
“Ask your partner if there is an opportunity to do some caller pre-qualification to validate that the person is who they are and if there opportunities to risk score a call that’s coming in,” Knauer says. “I know that having to go through question after question to authenticate somebody just creates a negative customer experience.”
While, in terms of contact center technologies, companies need to look at what they’re using and ask if it’s really the right application for the situation. “Do your agents really need access to some of the information that is in front of them?” asks Knauer. “If they don’t, you should work internally with your IT department to get it fixed.”
But as well as talking with partners like Sitel Group and with IT departments, it’s crucial to talk to your own business as a whole. GDPR is an entire organization’s responsibility even if, based on enterprise size and revenues, dedicated compliance posts are required.
“You have to communicate effectively,” warns Hayward. “A lot of issues can be created by the human element, by people who simply haven’t been informed or trained. So communicate, train, then communicate again and train again, it’s an ongoing process.”
And once internal communication channels are open, it’s time to take the message to your customer base. “You have to be able to show you are doing the right thing,” continues Hayward. “Life after GDPR means showing customers and regulators that you’re constantly working towards compliance.”