The consumer fights back
New data protection laws and what they mean for the call centre
Unify Issue 4
So far only the financial industry has faced heavyweight regulation on record keeping. Now punitive new EU law is set to clamp down on every business trading by phone.
The thicket of regulations and directives that already surrounds call centre activities is soon to become denser still with the coming into force in 2018 of the General Data Protection Regulation (GDPR) and MiFID II directive.
GDPR has implications for all organisations that collect information about customers resident in the EU, while MiFID II (Markets in Financial Instruments Directive II) applies only to financial services operations involved in the trading of investment market products such as derivatives, commodities, bonds and complex products like credit default swaps and collateralised debt options.
Both rulings are creatures of the EU; both can be expected to have force in the UK following Brexit, whatever leaving the EU eventually looks like. Both make new demands that will compel organisations to review and heavily revise the ways in which they gather and preserve for later examination evidence of the way they go about their activities.
MiFID II might be characterised as a bolting of the stable door after the financial crash of 2008, aimed as it is at regulating the sale of the kind of complex financial products that led to the meltdown.
GDPR is something rather different – a legal framework that aims to restore to citizens some of the control they once had over the propagation and use of their personal data. It is a reset of the relationship between corporations and their citizen customers. Before GDPR, customer information was increasingly ‘owned’ by the acquiring corporations. They could do what they wished with it. When GDPR took effect, the power shifted back to the individual. Companies are no longer able to behave as if they own the data; they have it on explicitly consented loan, and need to prove they are worthy of trust in order to retain it. If they lose personal data, or allow unlawful or accidental access to it, then they must report the incident to their in-country information commissioner within 72 hours.
GDPR is something rather different
a legal framework that aims to restore to citizens some of the control they once had over the propagation and use of their personal data
GDPR will have global effect, radical though this sounds. It will protect the data of EU citizens, wherever in the world they reside, or wherever their data is kept or used. Moreover, it will extend beyond the primary organisation to all partners in the value chain. Each of them will be obligated under GDPR to check that they themselves are compliant with the directive and, further, to ensure that the entities they interact with are compliant too.
The penalties available under GDPR are also of a different order of magnitude, at up to four percent of global turnover. If the UK’s information commissioner had been working under GDPR in 2015 then the £400,000 fine levied on TalkTalk for its customer data breach could have been as high as £72 million. The obligation to report data breaches within 72 hours leaves organisations with no real hiding place.
Previously, some organisations might have thought that toughing it out and saying nothing was the pragmatic response to a data breach. If the news eventually leaked out, then the resulting fine was not going to have a major impact on the bottom line. Now however, trying to cover up a breach will likely result in an even stiffer eventual penalty. Moreover, the possibility of private claims is higher because class action and no-winno- fee law suits will find it easier to convince courts of non-compliance with GDPR’s specific elements.
That was then, this is now
Wind back in history 200 years, and business was transacted by spoken word and by written correspondence. Today, business communication channels are rather more complicated. Face to face contact and letter writing persist, but have taken a back seat to telephony, email and video links such as Skype. This, then, is the multi-channel environment that GDPR seeks to regulate.
As with previous and existing regulations and directives, neither GDPR or MiFID II are prescriptive about the technology that enterprises must deploy in order to prove compliancy. The what of compliancy is set out, but the how is left to the organisation to determine.
Gary Dudbridge, a telecoms consultant, previously head of telecommunications architecture for a tier 1 international bank, says this lack of prescription is typical and deliberate; not intended to give organisations rope on which they can hang themselves, but crafted so that they are not forced to deploy technology that might be quite inappropriate for their business model or the size of their operation.
Regulations and directives tend to be tested through fines, test cases and ultimately litigation. They are deliberately open to interpretation. They might say you have to keep a record of something, but not tell you how. As a sole trader gathering customer data you might be able to argue successfully that keeping a paper record of transactions is adequate, but a call centre of a major bank, for example, will be expected to be able to provide a complete electronic after-the fact reconstruction of every multi-channel interaction. That means recording and being able to quickly retrieve email, web chat and collaboration Blackberry messages, SMS, land line and mobile – perhaps dual SIM – voice calls, and even Skype or FaceTime too. Anything that is evidential will be regarded as material.