Rakesh Jha FIP CIPP/E CIPM PMP CSM

How GDPR will affect the BPO industry

Blog Post created by Rakesh Jha FIP CIPP/E CIPM PMP CSM on Apr 24, 2018

The objective of GDPR is to give control back to EU citizens and residents over their Personal Data and simplify the regulatory environment. GDPR was adopted on 27 April 2016 and will become effective from May 25th, 2018. The impact of the regulations is far reaching not only for data subjects (individuals whose data is stored by government and private enterprises) but also for enterprises storing and processing personal data. The scope of GDPR is addressed in the next section and finally we cover the data security, data retention and outsourcing implications of GDPR. WHile the goal is to reshape the way companies approach data privacy , by giving greater control to individuals. Most people would agree that cracking down on companies that spam and mistreat people’s personal data is only a good thing, and it is...however the new regulations also dramatically affect the way all businesses control and process data with current and potential customers. This puts BPOs (business process outsourcing companies) in the spotlight. 

 

For most of BPO or as Vinayak Godse from DSCI quotes it - "BPM service provider" need to understand the following terms at minimum :

  • Data Controllers – data controllers control the personal data of data subjects for example a company stored personal data of employees or a bank stores personal data of its customers. Data controllers can appoint data processers to process personal data, however there need to be written instructions to ensure compliance to GDPR.
  • Data Processers – they process personal data based on instructions provided by data controllers and must comply with the GDPR regulations.
  • Data Subject – individuals (EU Citizens and residents) whose data is stored by data controllers and processed by data processers. Data subjects need to give their consent to enterprises about storage of their personal data and can withdraw the consent at any point of time.
  • Data Breaches – in case of a data breach enterprises need to inform the regulatory authorities of the breach within 72 hours of the incident.
  • Data Protection by Design – enterprises need to ensure that data protection guidelines are there in the design of data management processes and systems that would need to comply with GDPR. For instance, if you are planning a Data Mart hosted on a hybrid cloud of a 3rd party data processer, the personal data would need to be anonymized before usage by analytical applications and users.

The data protection directive was very simple when it came to communicating with people – companies offer people the opportunity to opt out of communications and then make sure they adhere to it. Now, however, companies will need ‘consent’ or ‘legitimate interest’ in order to make contact. Marketing professionals are most worried about the size of their databases, which might drop off the cliff if you’d need to ask every prospect for consent to sell to them! Can a sales professional still email or call a lead to introduce their company? Confusion reigns, and in the UK alone, there are hundreds of conferences, webinars and guides all helping to answer everyone’s questions and concerns.

 

As a matching service dedicated to the world of everything ‘customer’, AboutMatch surveyed BPOs to find out how GDPR will affect companies that manage customer contact on behalf of their clients. It’s a touchy subject because GDPR raises the question of whose responsibility it is to adhere to the regulations. GDPR will have an unquestionable impact on the BPO landscape. Under the Data Protection Act, most of the responsibility for data lay with the data controller (the client) and not with the data processor (the BPO), giving BPOs a degree of protection. With the changes, BPOs now need to comply and accept responsibility for the data, ensuring it’s treated correctly, or potentially face massive fines. BPOs are now being asked to take control of a process that previously was controlled predominantly by the client. The implication is that BPOs and their clients will need to work together more closely than ever to take shared responsibility for any data that is being used, ensuring that consent has been obtained. 


BPOs surveyed are focusing on the 12 steps to GDPR compliance as set out by the ICO. Which was discussed at the nasscom gdpr webinar .The appointment and training of Data Protection Officers is being driven by a need to comply with the legislation.


A question commonly asked is whether companies that offshore their contact centre operations will be affected by GDPR. The short answer is yes, but it’s complex – consider the storage of data with cloud providers, and that data stored outside the EU will be subject to the laws of the country it’s stored in, with some cloud providers not even knowing where all their client’s data is stored. Also once GDPR comes into force, it will be very difficult for companies to transfer data outside of the EU, without consent of the data subject first. Detailed auditing and close partnerships are again going to be crucial for compliance.

 

Another challenge of GDPR is time and cost, and this will vary considerably by company. In order to be compliant, resource needs to be allocated, data and processes mapped and training provided. Professionals are also spending a lot of time trying to self-educate.


But it’s not all doom and gloom - there are some opportunities in the BPO world. Firstly, as ICO suggests, gaining consent to use a data subject’s details could be a quite a lengthy administrative task, which is actually an ideal project for a BPO. It might only be a short-term project, however industry spikes are something that BPOs thrive on. If you’re trying to find a contact centre outsourcing company to help gain consent from your data subjects, AboutMatch can recommend an expert in this area.

 

Legislation is playing catch-up to the internet and its capabilities, with GDPR ultimately being a step in the direction of giving individuals newfound rights with their data. It will create a whole new way of thinking for companies as to how they use this data. 


One of the most common views is that GDPR will help make our use of data much more personalised. The number of people companies will contact, sell to, direct market to, will decrease dramatically, however the people they do reach, in theory will be more engaged as they have actively given consent to be contacted, or at the very least be deemed as having legitimate interest. This is a positive step for companies with a customer first agenda, as these practices lead to increased engagement and conversions for the client and improved experiences for their customers, thus strengthening the relationship between customer and brand.

Outcomes