This is a story about Freida. Freida signed up for your product by sharing her email address and phone number. Post-trial, Freida decided not to go ahead with your business. You targeted Freida using her personal information which she shared to gain access to your product/service. She wanted you to ignore or forget her data but couldn’t enforce it. Freida’s friends laughed it off stating that it was normal for all companies to use her data. Freida disagreed and sued you for violation of her privacy and misuse of personal data under the new GDPR regulations. You ended up losing €20 million because of your gross negligence.
GDPR 101: Misuse of personal information
Freida did willingly provide her email address and phone number while signing up for your product/services. Then there arises the case of misuse of her personal information?
What is personal information?
Any data collected about Freida is considered to be her personal information. This includes her name, residential address, email address, usage history, phone conversations, call notes, etc. GDPR guidelines view personal information or identity as everything associated with Freida’s account.
Personal information collected for the purpose of creating her account or for providing better services cannot be used for other purposes. Naturally, this extends to any third-party tool that you use to handle your business conversations, billing, etc. You should ensure that Freida is clear about how you / your partners are going to use her information to provide a better service. It is not enough to just clarify the usage of Freida’s personal information. It is essential that you obtain her explicit consent for using her personal information.
GDPR 102: Explicit user consent
Consent has become vital in handling Freida’s information. You are required to obtain explicit consent from your prospect/customer while requesting for their email or any other personal information. It is important that you obtain explicit consent for using Freida’s personal information. Your product/service should list all the terms and conditions in a concise (read as not 50 pages long), simple language which can be easily understood by all.
Your product/service should be available to all without having to consent to additional requests for information. For example, Freida should be able to use Freshcaller with just her email address and is not required to give her physical address (if it’s not essential to the product/service) or sign up for your regular updates. Moreover, Freida has the right to withdraw her consent provided to you and your third-party vendors to use her personal information.
Data is not yours. It belongs to your consumers and they can choose to provide or withdraw consent anytime during your relationship
Freida can withdraw her consent anytime she believes that her personal information is not being used to improve her experience. Freida can, in fact, ask for her data to be deleted and exercise her right to be forgotten by your business. You need to permanently delete any data collected when your customer cancels your product/service. In case Freida requests for access to her personal information, you should be able to share all the data without fail.
Many businesses understand the need for complying with GDPR regulations. However, it is also difficult because of the complexity of the work involved. It is as much about changing the culture of your company as it is about making changes to your code or operations.
Your GDPR deadline – May 25th, 2018
Businesses need to be GDPR compliant by the 25th of May, 2018. All organizations small or large should be GDPR ready before the deadline. Every conversation with a European prospect/customer needs to comply with the GDPR regulations. GDPR regulations are applicable to your business even if you are not based out of Europe.
Simply put, complying with the GDPR regulations is not just about obeying the guidelines. It is in knowing that you can use the personal information of your customers/prospects only after obtaining explicit consent. This consent can be withdrawn at any point in time.
GDPR regulations for your call center software
All your products/services along with your third-party partners who help you in your customer-focused activities need to be cognizant of the GDPR regulations. It is vital that all your partners including your call center software are GDPR ready before the May 25th deadline.
Freshcaller is your GDPR ready call center software. We have taken care to ensure our compliance with the GDPR regulations. Freshcaller is committed to adhering to the highest standards of data privacy and security. Do check with your current call center software about their commitment to GDPR.
We have ensured that
All call data including call recordings are in an encrypted format
Your phone data including your call metrics, notes, and recordings are stored on our server in a fully encrypted format
Account deletion means deletion of all associated data
We respect your decision to shut down your Freshcaller account. If you wish to move on after deleting your current Freshcaller account, all phone related data including your call notes and recordings are removed from our database. All data associated with your account is wiped clean
Convenient deletion of call notes & call recordings
Administrators and supervisors can delete call notes and phone call recordings. You can delete phone call information from the ‘Call Metrics’ page in Freshcaller. Easy deletion capability in your call center software ensures that you remove conversations that are no longer relevant to your business. Customer requests catering to data deletion can be handled easily in Freshcaller
Record phone calls after obtaining explicit consent
GDPR regulations are clear about using personal data including conversations only after obtaining explicit consent from your customer/prospect. Old-fashioned methods like stating that the calls are being recorded without giving a chance for the caller to register an opinion are illegal. Your call center software needs to provide manual call recording options to allow your teams to record conversations post consent
Why did Freida sue you for violating GDPR regulations?
Violating GDPR regulations typically lands you in trouble with varying degrees of fines. The nature of violation committed determines your GDPR fine. You could end up paying a penalty of up to €20M or 4% global turnover.
Freida registered a complaint because you broke her trust. You utilized her email address and other information to track her usage patterns. Freida had a problem with you tracking her information for activities which had nothing to do with your product/service. Failure to delete her account data post her account closure led to gross violations of retaining personal information according to the GDPR regulations.
As long as you are mindful of the fact that consent can be taken away by Freida and others at any given time in your relationship. You will have her consent as long as you can retain her trust in your business practices and service. If you remember this simple rule, you will be able to build systems and services that are compliant with the latest GDPR regulations. Do drop us a note if you are looking for a GDPR ready call center software.
Illustration by Nikhil Kanda