“How do we continue to deliver great customer service and still get compliant with the GDPR?” is a question we have heard from many of organisations we’ve worked with in preparing for the new data protection regulations. Of course, the answer is to find a balance between the two – if you drop customer service, you may not have many customers to serve. But if you drop the GDPR obligations, you may not be around to serve customers anyway!
As we have been through the GDPR preparatory process, many organisations have worked out how to keep customer service centre and forefront of their organisation, yet still comply with the regulations. Sometimes this requires a change to the way you do things, and sometimes you just need to document your rationale. This article brings out our shared experiences in working through the GDPR – the good and the not so good.
How long can I keep personal data?
The regulations say that you should specify a retention period for personal data or the criteria under which it will be deleted. This is a contentious point for many organisations as online systems and “free” storage make it easy to keep personal data essentially for ever. Here’s two examples of how this has been dealt with:
- An interior design and flooring company keep records of their jobs for quite a long period of time as customers come back to them to raise queries such as “what colour paint did we use” or to make insurance claims. The company decided that 7 years was an appropriate period to maintain this information – any longer and it would not be valid. They implemented a process to cycle their records through secure storage and then destruction over the seven year period. So they developed a valid justification, a robust process and the required documentation.
- A civil engineering company in West Sussex need to keep records of their civil engineering projects for many, many years. The answer to keeping personal information about these jobs was simple – don’t. The important point was to keep information about the civils work and the organisation that commissioned it – but not the individuals involved. So personal information is being deleted from these long-term records – a bit of lateral thinking won out.
Keeping information current and managing its deletion
The regulations require you use reasonable efforts to keep information accurate, but also to delete information when requested by a data subject – the right to be forgotten. An information audit is sometimes required to identify what personal information you hold and where. In some cases, computer software has evolved that can make this task easier. Here’s three similar examples.
- A supplier of our is an online shop for all sorts of office supplies. Users register to use the site and subsequently maintain their own personal data. The ecommerce platform was updated to be GDPR compliant and enables users to request their data to be deleted. In this case the platform retains the customer number, but not the associated customer records.
- Member profiles of the Haslemere and District Chamber of Trade and Commerce are kept on its website and enable members to promote their organisation to others. A GDPR update to the WordPress plugin “Ultimate Member”, not only allows members to make changes to their profile, but also to delete all their information stored on the website, making it easy for both members and the Membership Manager.
- An insurance broker we worked with was in the process of developing a new software application. They have built into the spec that after a specified number of years with no contact with a past client the computer system will raise an alert to the system administrator. The business can then decide the most appropriate action to take.
Do I need a Data Privacy Impact Assessment (DPIA)?
A DPIA is a process, required under the GDPR to analyse, identify and minimise the data protection risks of a project or plan. It should be conducted whenever you make a change or introduce a new or different way of doing things that might affect personal data. Conducting a DPIA can appear quite daunting, but is not difficult if managed sensibly.
We worked with two organisations with very similar processes that although they did not formally work through a DPIA, did think through the issues – although belatedly:
- The first organisation services large ponds for their clients across the south of the UK. All their records were paper based and they were in the process of putting them online and equipping their staff with iPads. They also kept a record of the security access codes for their client properties. Their intention was to be able to respond more quickly and less intrusively to servicing customer needs. They had two problems here – by providing their staff with electronic access to client accounts and access codes they had a big security risk. If an IPAD got lost or stolen an unauthorised person potentially had access to a lot of compromising information. The firm had not completed a data impact assessment! If they had, they would have realised the implications of what they were doing and perhaps changed their approach.
- The second organisation also services facilities on client properties and staff had created a database of access codes to enable them to go in and out without disturbing their clients. In talking this through with our client a simple way to protect the data was to encrypt the PC on which the data was held. A secure, clean solution. However, on further thought it was decided that a number of clients regularly changed their access codes, but our client didn’t know who or when. So keeping a record of access codes was of limited use, and they stopped doing it.
Keeping information safe and secure
There is an obvious requirement to keep personal information safe and secure and to prevent unauthorised access. Here are another three examples of how organisations have thought this through and maintained customer service but met regulatory requirements. Many personal data breaches are caused by inadvertent or malicious actions by staff. So protection needs to be built in at technology, process and staff training levels:
- A Health Spa client provides individual treatments for its guests. In the past, the next day’s treatment schedule would be posted under the door of each guest on a folded piece of paper. There was a risk the schedule could be posted under the wrong door, leading to a breach of personal information. To avoid this breach involved a very simple change – put the piece of paper in a sealed envelope addressed to the appropriate guest. Job done!
- Another client provides book keeping and payroll services for firms and used to maintain client records in Dropbox. To increase security, the company took two major steps by moving all their information onto Microsoft OneDrive and implementing access controls to each client folder. The client information is now secure from both a technology point of view and protected from staff error.
- Our interior design client keep all current customer files on paper in the office at the rear of the business. Although relatively secure in that a would-be thief needed to get past staff and into the back room; there was room for improvement. The simple and obvious step was to put a locked roller door on the cabinet. All secure.
Ahead of the GDPR we heard a lot of “nay sayers” complaining that the GDPR would stifle business. But our experience has not borne this out. We have found it is possible to maintain high levels of customer services. But sometimes you have to think about the issue differently, use technology a different way or change your business processes.
We hope you have found this article useful and given you food for thought as you address your own issues. If you would like help – please get in touch. The number’s 01428 770 290