Amongst the many challenges that GDPR presents, the workload involved in interaction with customers is one of the least understood and planned for. This workload can be placed in one of three primary categories: Consent management, Data Subject Access requests and Breach management. All of these topics can require a variety of processes, all but one of which are time sensitive. Let’s start by characterising these types of interaction:
Compliance with the GDPR requires you to demonstrate a legal basis for acquiring, storing and processing private data. Whilst it would be preferable to have an alternative legal basis, nevertheless, a mechanism to handle the management of consent will always be required.
Remember the rules for consent are that it must be: Freely given as a result of an affirmative action, informed by a clear statement in plain language, specific to the anticipated use of the data, unambiguous and still valid.
Achieving this necessitates significant levels of interaction with the data subjects and this process must be ongoing so that changes are incorporated and the consent remains valid. Unless this process is handled in a flexible dialogue on a self-service basis, there is a danger that the overhead of communication will make some uses of data unprofitable due to the cost to service these interactions through the contact centre.
We must always consider the user experience when dealing with personal data over which (post-GDPR) the customer has complete control. To have the best chance of data subjects continuing to allow use of their data, you must deliver these interactions using their preferred channel(s).
One should also note that, any of these interactions can develop into more complex, alternative business processes. The data subject whose preferences you are updating may want to upgrade their service package and it would be poor practice to lock them into a self service automation process that can only update information and be unable help them buy more goods or services!
Data Subject Access requests (DSAR’s)
The difficulty with DSAR’s is that they are a new phenomenon and few businesses with know how many of them to expect.
We do know the kinds of information they will contain as the ICO and others have prepared templates to help data subjects prepare them. A key decision we need to make is whether to provide an interaction process which assists data subjects in the process of preparing them. On the one hand, a process which makes it simple to submit a request will fully demonstrate key principles of good data stewardship and can take advantage of automation tools to, automatically to populate some of the fields and perform input validation. However there is a concern that making it easy to do will open up the floodgates and encourage people to remove their data. A key factor in this decision will be how easy it is for you to respond to them and the cost of that process. However it seems likely that a form or interaction over which you have control, will be much easier to handle administratively than receipt of a mixed bag of printed and handwritten forms with wildly differing formats and degrees of completeness. These will need to be: a) Interpreted b) Put through a data entry process c) Supplemented with metadata about the data subject d) Matched to the customer record.
In any event, we are working to a defined timeline and controlling the cost so processing efficiency really matters.
We all now know that if there is a breach of sensitive customer data, we will need to notify the ICO and the data subjects affected “without undue delay”. It will be difficult but it is the law so we must comply. Fine, but how do we achieve this without putting our company out of business?
Just thinking this through… Say we are a large insurance company and our customer data warehouse is hacked. We send a message that says something like.. “Unfortunately due to a cyber attack, we have accidentally disclosed your personal data” to say, 250,000 customers, prospects, past customers etc. To pass muster, that message must include details of the action they must take to make further enquiries. Servicing that new demand is likely to max out the resources in the contact centre as those calls will have a long average duration. Assuming the agents have had some training and a script has been prepared in advance, this could be handled but unfortunately, it is not that simple. There could be different information to be delivered to different people. Some callers will understand what is happening, others may need reassurance. All of this could prevent other urgent interactions from taking place.
Though historically a covert ‘black art’, organisations will need far more transparency and pre-planning in this critical discipline. They must also be prepared to demonstrate that mechanisms exist to facilitate and track the decision-making process ensuring that those accountable are fully involved.
The key stages involved in managing a personal data breach are:
Discovery – Someone realises that personal data might have been exposed.
Investigation and containment – The team members will determine which records are involved, what categories of data they include, the cause and how to stem the flow. In some cases containment might include measures such as notifying banks, changing access codes etc.
Risk assessment and mitigation – Various parts of the organisation must collaborate to assess the impact that the information disclosure might have on the data subjects and to take any actions practicable to mitigate the risk and reduce the impact.
Notification – When appropriate, the ICO and the Data Subjects (Employees, Suppliers, Customers) will be notified. In this notification, it is important to deliver adequate information about the nature of the breach and to offer help and advice.
Resolution – As the situation develops, best practice would be to follow up the communications with the data subjects and advise them regarding the actions that have been taken to prevent recurrence and where appropriate compensate them for their inconvenience.
The Notification and Resolution stages may involve significant volumes of customer interaction. This is where an automated flexible dialogue can be deployed driving towards an ‘omni-channel’ approach. I have been working with some vendors looking at technologies which have the potential to deliver automation of transactions and large scale self-service. I would welcome feedback from fellow Hiveminders interested in this area.
Please let me know if you would be interested in attending a workshop session to explore this in more detail.