Despite a mix of regional political uncertainties, the EU’s GDPR is on track for a May 2018 implementation. Its pending arrival is already causing anxiety, particularly with call centers that regularly process consumer data. This article takes a closer look at their concern by examining nine ways the GDPR could affect operations this year.
1. Global Reach
Lexology, a site dedicated to up-to-date legal analysis and advice, makes it clear the GDPR won’t impact only the EU. Rather, the GDPR “has a broad reach, even impacting companies with no physical presence in Europe.” The regulation requires any company processing EU-originating data abide by the EU’s privacy and security requirements.
This means a call center in the United States could need to update its data standards. It could also affect some industries more quickly than others. Higher education, financial markets, healthcare, life sciences, and Software as a Service (SaaS), for example, could come under scrutiny faster than other businesses because they tend to be more visible, high-profile, and integrated into everyday life.
2. Murky Regulations
Unfortunately, that global reach doesn’t translate into a comprehensible regulation. The GDPR more often affects call centers in the same way the TCPA does—with murkiness. As an example, the TCPA causes uncertainty about consent and other compliance issues.
The GDPR’s murkiness more or less arises from its definition of personal data, which Enterprise Tech calls a “global re-visioning of data security and personal privacy.” In the GDPR’s lens, personal data covers almost any type of information, from name and demographic information to IP addresses and cookies.
3. Consumer Rights
The regulation’s murkiness might not be entirely clear—but one of its points of focus is consumer rights. The GDPR aims to give people more control over what information they disclose, when they share it, and how companies use it.
The aim isn’t new. Privacy guidelines have been heading this direction for a while. The GDPR simply creates a standard for all rather than a select few. In that regard, its mission aligns with other calls for standardization and regulation.
4. Call Center Responsibility
A second point of the GDPR also is straightforward: call center responsibility. In the GDPR world, the onus for data security and privacy falls upon the contact center, not the consumer.
Again, that’s nothing new. The difference here lies in application. The GDPR will supervise efforts to secure data, possibly resulting in stricter reporting and rigorous oversight. It could also produce a call for greater transparency, something consumers have been demanding for years.
5. Data Storage and Officers
In response to that responsibility, some companies have taken proactive steps. PricewaterhouseCoopers (PwC) reports that GDPR compliance is a top priority for 92% of surveyed U.S. companies. Companies have responded in a variety of ways, with some electing to leave the EU market. The decision might be premature; leaving the market doesn’t necessarily prevent processing EU data.
Other companies take a more balanced approach. Some plan to centralize their data storage in Europe. Others intend to limit their risk by “de-identifying” personal information or hiring a data protection officer (DPO).
6. Company Culture
Besides changing data storage policies, some companies are adopting what Computer Weekly terms a “culture of privacy.” The organization explains the GDPR has companies moving “away from seeing the law as a box-ticking exercise, and instead working on a framework to build a culture of privacy that pervades an entire organization.”
Building that structure requires call centers to think of privacy as an organizational issue rather than an IT one. As Computer Weekly says, “GDPR is a cultural change in terms of how companies process personal data throughout the organization—where personal data is obtained from, how it is used, where it is stored, who it is passed to, and how those parties use that data.”
7. GRC Programs
Part of that foundation may stem from GRC programs. These plans integrate governance, risk, and compliance, resulting in a unified approach instead of a segmented one.
Such programs could be hugely beneficial because they get rid of silos. Companies seem to think so, if Forrester is any indication. Forrester already offers a GRC playbook, stating the programs “are essential for protecting business value and maximizing business performance.”
8. More Technology
The programs, though, won’t succeed without technology. Computer Weekly again offers insight, saying, “For a challenge such as the EU’s General Data Protection Regulation (GDPR), technology is likely to play an important role.”
The GDPR calls for such sweeping changes that technology is a must. The best technology solutions, though, will be functional, flexible, and integrative. That is, they integrate and adapt to a call center’s processes and culture.
9. Hefty Fines
Fines appear last in this list of effects, although they likely are the main reason for concern. The GDPR features hefty fines, ones far greater than those associated with TCPA noncompliance.
Sarah Pearce, an attorney, says, “The degrees of noncompliance will of course vary but, generally speaking, if you violate the law, (e.g., mishandle data or experience a data breach), the GDPR gives regulators the authority to impose fines of up to €20 million [$24 million] or 4% of worldwide annual turnover (whichever is greater).” Other penalties are less quantifiable but equally devastating; they could lead to lost business opportunities or a damaged reputation.
The GDPR takes effect in a few months. Call centers should prepare for it in two ways. First, they should understand how it could affect their lines of business. Second, they should develop a plan so that they are in compliance by May 2018.
Is your business still trying to build a great TCPA compliance program? Download our free, Comprehensive Guide to the TCPA and get your systems in place before the GDPR is in effect.