In May 2016 the GDPR (General Data Protection Regulation) was issued, containing over 90 articles on customer data collection and security in order to improve customer privacy for European citizens. The regulation is applicable to any organization dealing with customers residing in the EU and will effectively be maintained as from May 25, 2018. The fines for noncompliance that can be imposed range from €20M up to 4% of your global turnover.
A few of the articles are directly linked to customer interactions and mention the following customers’ rights:
- right of access by the data subject
- right to rectification
- right of erasure
- right to restriction of processing.
These four articles represent a very limited part of the entire GDPR, but they have a direct link to your CSAT, NPS and reputation with regard to customer interaction. They could potentially generate a massive amount of customer interactions, overloading your contact center, and the departments involved with work by issuing requests.
To give you a feeling of the amount of work involved, the regulation states that your customers can request what PII (Personal Identifiable Information) you store them and—this is the tricky part—that you need to fully respond to that question within a reasonable time. You really need to provide all PI information stored in all systems including the reason for storing that specific data. Based on that feedback the customer can request to rectify the data – if incorrect and even to stop you from using that information until it has been adjusted accordingly. On step further is the option for that customer to request to be forgotten. This implies that all PII should be removed from your systems, provided that there is no “higher” legislation that imposes you to hold that PII. The latter indicating that you need to weigh the request for each system against other legislation.
Now take a minute and think of all your systems that contain PII and how you will assure compliance with these rights.
At Capgemini, we have developed an automated business process to ensure you can manage the CX-related GDPR processes and provide comprehensive reporting and dashboards. It allows you to start off
- either with just manual tasks for your system administrators or
- with a hybrid solution where some tasks are automated and some tasks are performed manually.
We deliberately start with handling the tasks manually because it
- will dramatically speed up the implementation process, enabling you to be ready in time
- helps in providing insight in which processes will benefit most from automation and which processes will allow automation at reasonable costs
- buys you time to ensure proper handling of the requests by the underlying systems (which is a prerequisite for automation, but it usually consumes a lot of time before this is properly identified and documented).
Implementing such an automated GDPR process will help you stay ahead of the regulation and will help you protect your workload, CSAT, NPS, and reputation with regard to customer interaction.
As stated, the regulation will be maintained as from May 25, 2018 which leaves you less than eight months to assure you comply. The expectation is that the closer we get to that date, the more aware of these new rights the general public will become, the more they will increase their requests. Hence, there is no time to lose for you to start or—hopefully since that indicates that you have already started—finalize all the work necessary.
Let me leave you with an easy question that is very hard to answer fully:
How will you assure that even emails stored in an archive on an employee’s own hard drive will be deleted once a customer requests to be forgotten?
More information can be found at www.capgemini.com/cybersecurity.