What is the GDPR?

Coming in May 2018, the General Data Protection Regulation (GDPR) will implement the biggest change to European privacy rules in 20 years, with the aim of protecting European Union citizens’ privacy. Requirements include strong individual consent, 72-hour breach reporting and high fines to encourage compliance. Naturally, the law holds all EU-based companies accountable for compliance, as well as anyone who markets to, processes or stores data of EU customers, including US companies. Here are seven things contact centers need to know about the GDPR:

#1: If you have even a single EU customer, you will be held responsible for GDPR compliance

The point of the GDPR is to protect EU private citizens’ identity rights and personal data. The law applies to any company, including American and international entities, that processes or stores information relating to EU citizens, including names, email addresses, any personally identifying information. If your contact center has even a single EU-based customer, you are accountable for complying with the GDPR.

#2: You have 72-hours to report a data breach

Contact centers hold a wealth of personal information about customers and data breaches spiked 29% in the first six months of 2017, according to Identity Theft Resource Center and CyberScout. These breaches have impacted 172 million American and international records, including records from US-based businesses like Equifax, Uber and Yahoo! The GDPR is the EU’s response to protect its citizens and require companies to report data breaches within 72 hours. This will likely be the first of many laws passed internationally to bolster cyber security.

#3: Fines for noncompliance can ring up to $21.6M (or higher)

The EU is taking privacy and protection of that information extremely seriously and to incentivize companies to play along, the GDPR imposes harsh penalties on any company that violates the new regulations up to $21.6M or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

#4: Customers call the shots on which personal data businesses can collect and store

In addition to explicit consent, the GDPR requires all companies abide by customers’ preferences about what personal data is collected, used and stored. Individuals may at any time request that a company transfer their data to another business or wipe their database clean of their information.

#5: Personal data is defined more broadly than SSNs in the GDPR

When we think of personal data in the contact center space, we normally think of Social Security numbers, health data or credit card information. The GDPR broadens the definition of personal data to anything that “directly or indirectly identifies or makes a data subject identifiable.” Given the nature of contact centers, it’s likely you will need to expand your security to meet requirements by May 2018.

#6: Customer consent comes first (no more “opt out” communications)

As part of the new, stricter consumer consent laws, the GDPR requires companies to use “opt in” communications to customers instead of the typical “opt out” channels like marketing emails or RSS feeds. This means less junk mail for consumers but it will also force many companies to adapt their communications strategies accordingly.

#7: You have until May 25, 2018 to improve your security

While it’s tempting to capture and use as much data as possible to build a better customer experience with your product or contact center, operating in the grey area may land you in trouble. Here are our parting tips to help you get started:

• If you don’t need it, remove it
• If you don’t need access to, don’t have it
• Know where personal data is
• Know what is done to personal data and by whom
• Protect, protect, protect and have a plan for when protection fails
• Don’t work toward compliance, work toward being as secure as possible (but use compliance as a guide to help you get there)

Editor’s note: The information contained in this document does not constitute legal advice. Reference the EU GDPR website for official information regarding the new regulations.

Click the button below to find out how Talkdesk builds enterprise-class cloud security.