Contact Centres - 3 MORE Things You Need to Know About GDPR & the new Data Protection Act | DMA

Filter By

Show All

Connect to


Contact Centres - 3 MORE Things You Need to Know About GDPR & the new Data Protection Act


A few months ago, we blogged about 3 things that contact centres and people responsible for customer experience needed to know about GDPR (the new set of EU data protection rules, now being written into UK law in the new Data Protection Bill, which had its first reading in parliament earlier this month). We explained that the DMA’s Contact Centre Council had been considering how contact centres should best square GDPR compliance with optimising customer experience and securing companies’ commercial goals. Back then we highlighted: • the possible need for a Data Protection Officer (DPO) • changing requirements between data Controllers and Processors • the need to ensure your corporate insure cover reflects changed obligations and liabilities We said we’d continue to keep you informed as to what we understand about how GDPR will take effect and the impact it is likely to have on customer facing operations. Since then, although the Data Protection Bill has started to make its way through parliament, some detailed, practical aspects of how GDPR will be interpreted – specifically around customer consent and profiling - remain a little unclear. The Information Commissioner’s Office (ICO)’s final guidance on these areas is still awaited. However, as the ICO has made clear (, there’s a great deal we can be certain of. Organisations need to get into a fit state before the new DPA makes compliance with GDPR mandatory by May next year And for many organisations, that will be big ask. So, here are another 3 things you need to know about. There will be more aspects of GDPR / the new DPA to consider in future, but take these on board for now. They will all have a direct impact on your frontline staff, in contact centres, in the field and in-store. 1. Subject Access Requests (SARs). These are nothing new – individuals’ right to request all data an organisation holds about them is featured in Section 7 of the existing, 1998 Data Protection Act – but they are likely to become a lot more common. Up until now organisations have been able to charge an administration fee, typically £10. But under GDPR, SARs will have to be processed free of charge - and the standard maximum response period will reduce from 40 to 30 days. Most organisations rarely if ever received SARs, but they are likely to receive more in future - especially if a disgruntled group of people decide to lodge multiple SARs in a coordinated fashion. The ability to comprehensively fulfil volume SARs will present a technical challenge for many companies, but irrespective of your data management solutions, SARs can create a communication and training difficulty for your front-line teams. Can they recognise a SAR and how confidently can they explain how SARs will be handled to a requesting customer? 2. The Right to Erasure (better known as ‘the right to be forgotten’. Again, this is not an entirely new right, but the basis for a customer to request their right to erasure under GDPR will no longer be dependent on ‘unwarranted and substantial damage or distress’. The right to erasure will be better publicised over coming months, alongside with a growing public awareness of organisations’ need to get customer and prospects’ consent prior to marketing to them. In combination, then, organisations – specifically their front-line contact centre and retail staff – need to be prepared to recognise, understand and enact right to erasure requests. 3. Understanding Data Sources. Irrespective of whether they use a consent or legitimate interest basis for their retention and processing of marketing data ( and that’s discussion for another blog, on another day!), companies will be under increased pressure to understand and review their internal and external data sources. “Where did you get my details from?” will almost certainly become a more common question, with greater implications on organisations that can’t answer it. Once again, a narrow technology challenge is matched by a much broader internal training and communication challenge. You absolutely need to make sure your people are ready to meet it. So, 3 more things to think about and plan how you and your front-line teams will respond to them. As ever, the sooner you start to do so the better. We will share our views as to what else you will need to consider over the next few months as further ICO guidance emerges and the 2018 DPA gets closer. In the meantime two great sources of information on GDPR and the new Data Protection Act are: ICO: www. DMA: and keep checking back, as the content will change and develop over time.

Hear more from the DMA

Please login to comment.