Unless you have been living under a rock, you can’t have failed to notice the GDPR compliance deadline is looming.
By the 25th May 2018 all organisations serving customers across Europe need to comply with the new legislation. Regardless of the UK leaving the EU.
Yet, IT Governance reported this month that 68% of a survey sample have yet to update their processes to reflect the new data subject rights.
There are numerous changes to the outgoing Data Protection Act that organisations need to adhere to, or fall foul of the regulator – the Information Commissioners Office (ICO) which is currently recruiting 200 new staff to enforce the new rules. Failure to comply could result in fines of up to €20 million or 4% of annual global turnover, whichever the greater. But even worse – what if you lose all your customer data?
The GDPR will apply across the company. No longer just an issue for Marketing, Customer Insights or Compliance. Customer Services will be at the forefront when it comes to dealing with enquires from citizens, Subject Access Requests (SAR’s), engagement, loyalty and churn.
In this Digital Age, with more Artificial Intelligence and automation, the customer expects a certain level of personal targeting and customised experience. This has resulted in a more customer centric culture. Now the customer will expect not only personalisation of product and services, but security of the personal information they have shared with you.
The fact that customers have been happy to share data to obtain a value exchange with your organisation is a great starting point. You may now have access to purchase history, address, birthday, communication preferences and in some cases even their voice recording. But this results in a vast amount of personal data for storage and protection.
Now you have been entrusted with their data, you must respect it, ensure its safety and privacy. From here on in, under GDPR your company must obtain consent and understand what we at MyLife Digital call the 5W Framework:
- WHAT data has been collected.
- WHY it’s been collected and for what specific purpose.
- WHO is using the data.
- WHEN the permission was granted.
- WHERE the permission was granted.
From a Customer Service point of view, any Customer Relationship Management system needs to access and report on the above. When you’ve worked so hard to build customer satisfaction and loyalty, you don’t want to lose it.
With Chabot’s and technology removing the need for live agents, customers must feel they are able to resolve problems whilst having a good experience. In another survey recently reported by CSM, 65% of consumers “feel good” when they solve their issue without human contact. Customers rely more and more on technology. And this technology relies on data.
Analytics of customer data is getting more complex. To feed machine learning algorithms requires data; more data means more of the 5W’s. Especially who is using it, why it has been collected and for what specific purpose.
GDPR is seen as one of the biggest, most important changes to consumer rights in recent times. It turns the use of personal data on its head and gives back control of data to the citizen. Businesses must ensure every member of staff has the appropriate level of understanding to continue to carry out their role.
Okay. You’ve done your homework, you’ve invested resources and applied the 5W’s to your data collection, so what’s next?
In an article in Harvard Business Review, Customer Data: Designing for Transparency and Trust, the authors state, “a firm that is considered untrustworthy will find it difficult or impossible to collect certain types of data, regardless of the value offered in exchange. Highly trusted firms, on the other hand, may be able to collect it simply by asking, because customers are satisfied with past benefits received, and confident the company will guard their data.”
To be a trusted firm, to maintain loyalty and reduce churn, you need to keep your customers happy. With repeat purchases, upgrades, continued good service and of course value for money – and from May 2018 data consent.
To start to understand consent, look through current statements that have been used to gather permission to contact. These might be on old direct mailing packs or in recent online or social campaigns. Collate these, then assess how legitimate that consent to use data is and whether explicit permission was given.
Your customers must agree that their data can be used and that they can be contacted. Only then do you have a legal basis for collecting, storing and using their personal data.
And be mindful: consent is not the same as a preference.
Under the DPA customers already have the right to know what data you hold on them and can submit a subject access request (SAR). The ICO has written guidance to this process which is well worth reading, and we await an update for GDPR.
Customer Service is often the first port of call when the relationship has steered off course or a simple query triggers a call. Under GDPR it may now also trigger the right to be forgotten or right to erasure.
Article 17 of GDPR states the data subject has the right to request that the data controller erases their personal data, subject to meeting certain conditions. This may be that the personal data is not necessary in relation to the purpose for which it was collected, or the data subject withdraws consent or objects to processing; amongst others.
Now is the time, before May 2018, for your organisation to:
- consider the organisation’s stance on personal data and what is done with it
- understand what data needs to be retained for legal or other reasons
- establish or update data retention policies and adhere to them
- ensure there is a process in place to manage SARs and the Right to be Forgotten
- train all staff in the above process and the part they play in it
- draft standard communications and notifications to acknowledge requests, including the timelines for completion
- know where data is shared, internally and externally, and be ready to inform such parties to complete these requests
- comply or update a suppression list to remove requestors data from any marketing, sales or communication activity.
Basically, leave no stone unturned. Don’t live under a rock or bury your head in the sand – GDPR is coming and sooner than you think.
About the Author
Keith Dewar is Group Marketing and Product Director at MyLife Digital, with over 25 years of senior management experience across functional disciplines including marketing, sales, business development and strategy. He has held various directorships with Cable & Wireless, Vodafone and O2.
More recently, Keith was Vice President, Marketing & Strategy for technology start-up IP Wireless where he helped grow the business over five years, culminating in a successful acquisition of the company by General Dynamics. Keith is also a post graduate student in the Department of Economics, Finance and Management at the University of Bristol where he is studying and researching areas of strategy, change and leadership.