Posted by: Malcolm Jarvis CIPP/E
Call centre operations often require agents to read one or more lengthy legal statements as part of entering into a new contract. If you’ve ever entered into a new mobile phone deal via your provider’s call centre, you’ll know that these can be tough going. Any time I’ve encountered them, the only person getting more bored than the customer during the reading of these compliance statements is the poor agent reading it for the hundredth time that day.
With this in mind, consumers and business owners alike will be overjoyed to learn that the GDPR adds numerous new statements that call centre agents will be legally obliged to convey. They will either need to provide these statements over the phone or alternatively ensure that customers can easily access them via other means such as by e-mail or your company website. These new requirements substantially enhance the data transparency obligations placed on companies under the Data Protection Act and all indications are that companies will need to be much more proactive communicating details of individual's rights in respect of their data.
If you’ve read our previous GDPR post regarding cold calling, then you’ll be familiar with the concept of the balancing test used to demonstrate that you’ve a legitimate reason for using someone’s information to call them. Safeguards are a key part of tipping this balance sufficiently in your favour. Ensuring that individuals are aware of their data protection rights and how your company uses their data are both mandatory safeguards you will need to implement after May 2018.
As I’ve mentioned previously, we don’t know exactly how these new regulations will be interpreted into UK law, and there's always the updated ePrivacy Regulation coming into force hot on the heels of the GDPR, just to keep us all on our toes. It’s a safe bet though that most of these new rules will be adopted without many changes and, with little time left before 25th May 2018, companies will need to start planning sooner rather than later. Yes, it's possible that the goal posts may continue to move, but at least we'll be pointing in the right direction.
Also, my usual disclaimer - I’m not a solicitor, nor in the legal profession. The information provided here is my best effort as someone involved in the call centre industry who doesn’t mind spending hours and hours reading the text of the GDPR and it’s recitals and opinions in an attempt to help companies translate it into specific action. Wherever possible I’ve included links to where my conclusions and advice have come from so you can double-check them for yourself.
Your Data Protection Statement
Details of the new information that will need to be provided to individuals regarding your use of their data are listed in the “Rights of The Data Subject” section of the GDPR in Articles 12 to 23. In this article we’ll explore the information and statements you’ll need to start providing to people you’re contacting, as well as how and when that information is to be supplied.
Currently the ICO recommends companies provide a Privacy Notice to consumers in order to comply with the Data Protection Act. The GDPR updates and extends these requirements and is very specific about when this information is to be communicated to consumers. So far, there's a lot of advice regarding the GDPR available for companies gathering data online, but the GDPR also introduces new demands that are especially relevant to call centres, especially those carrying out direct marketing.
For the purposes of this discussion, I’m going to refer to the “Information to be provided to the data subject” as your Data Protection Statement. We could use the term Fair Processing Notice or Privacy Notice, but as these are currently in common use for the pre-GDPR requirements, and they're more commonly used in relation to website notices, we'll avoid using them for now. When the GDPR is translated into UK law, a new standard may emerge, but for this discussion we'll use Data Protection Statement to set it aside from previous requirements.
Before we have a look at what you’ll need to say in your Data Protection Statement, let’s first get familiar with when, how and why you’ll provide this information.
The GDPR states that the latest you can provide the “Information to be provided to the data subject” is the first time you use someone’s data to make contact with them. Normally, if someone was providing their information to you directly, for example when they filled in a form on your website requesting that you contact them, you would simply supply this information at that point. In the case of direct marketing calls, where you’ve acquired an individual’s personal data via a third party, you’ll need to provide this information on the first connected call to the individual, although there will no doubt be some exceptions to this rule.
For example, if you don’t get past the first 10 seconds of the call before the customer hangs up, it’s unlikely your agent will have been able to fit in a lengthy statement regarding data protection. It’s possible that standards may emerge where it’s necessary to offer this information within, for example, the first minute of the call, but so far this has not been detailed anywhere I’ve seen.
In circumstances where you’re cold calling through a data list I’d personally go for a three-pronged approach. For successful calls where you’re proceeding with an order or otherwise initiating an ongoing relationship with the customer, your Data Protection Statement will become part of your standard confirmation or verification statements. This could be before or after you start to gather additional data in order to process their order etc, it’s up to you.
When the customer is not going ahead, then you’ll need to offer them further information on your “data protection obligations” during the “End Call Politely” phase of the conversation. It’s unlikely that many customers are going to want to listen to a legal statement if they’re keen to get off the phone, but the wording of paragraph 3 of Article 14 suggests you’ll need to make the offer. You could always mention that the information is available on your website in order to remain compliant without having your agents run through a lengthy data protection statement unnecessarily.
Lastly, you’ll also need to provide your agents with access to the full statement at any point during the call should the customer ask for more information on how you got their data, what data you have stored on them or what you intend to use their data for. It’s likely that during the weeks and months after the GDPR comes into force, consumers across the EU will become a lot more data savvy, and your agents may find themselves regularly being challenged on the way your organisation stores, processes and protects individual’s data. Having this information easily available to your agents combined with appropriate training will help reduce complaints from agents and customers alike.
Article 12 states that the information you’ll be providing to individuals in your Data Protection Statement needs to be provided in a clear and concise manner, in other words, you can’t blur the information with confusing legalese or jargon.
While the GDPR doesn’t state that you must provide this information via the same media that the information was requested by (i.e. by e-mail if requested via e-mail, or by phone if requested by phone), it’s a safe bet that the easier you make it for people to access this information, the better your organisation looks if a complaint gets investigated.
In the rules regarding opting-out from consent that was previously given, the GDPR states that the means by which individuals opt-out must be just as accessible as the means by which they opted-in. Following that logic, it’s reasonable to assume that if someone requests information on your use of their data by phone, you’ll be expected to at least offer to provide that information by phone. Obviously it will save time and costs if your agent can direct the individual to your website or provide the information by e-mail, but the customer should probably have the final say.
Where a request for information comes from an inbound call, businesses will have a duty to perform reasonable identification checks to ensure that they are providing the information to the correct individual and not a fraudster. This may be justification for storing personal details that wouldn’t otherwise be needed, such as dates of birth, in order to have suitably private information available to carry out such checks.
It could be argued that this would only apply insofar as the business can justify retaining other personal information that this “security check” information would protect. For example, there’s no point having someone’s date of birth in your records if the only other information you have regarding them is publicly available. In the event that you can no longer justify retaining someone’s personal details and these details are scheduled for deletion, presumably the information solely used for security checks to protect that data should be deleted too.
Companies not complying with Articles 12 to 23 of the GDPR will be subject to maximum fines of €20 million or 4% of turnover, whichever is greater. This will be enforced in the UK by the ICO, presumably with gusto. That’s why.
What Needs To Be In Your Data Protection Statement?
So what will we need to include in our Data Protection Statements? The bad news is that there’s a lot, and perhaps not unsurprisingly for data protection legislation, it’s dry as toast. The good news is that figuring out what we need to say isn’t too tricky as these items are listed in Articles 15 to 22 of the GDPR. It’s a bit of a slog, but let’s have a go at translating these requirements into a typical call centre script.
For the preamble, we’ll need to let the customer know why we’re about to launch into a 3-4 minute statement on data protection, and ideally give them the option to access this information online or by another means if they’d prefer. So, we could open with:
As you may have heard, businesses in the UK are subject to new data protection laws, which include ensuring that you are aware of both your rights and how we, as a company, use your data. I can provide you with this information just now over the phone, or if you prefer I can send it to you along with your welcome pack (or whatever). Would you like me to read it to you just now?
No problem at all, this will just take a couple of minutes.
Articles 13 and 14: Information to be provided to the data subject...
Articles 13 and 14 outline the information that you must provide to individuals regarding their data. Article 13 is for when the individual has provided you with their data directly, and Article 14 is for when you’ve obtained their data from a third party.
These are pretty much identical except that when you’ve obtained the data from a third party, you need to inform the individual where you got their data from. This probably won’t be practical if directing people to your website for this information, but I’d guess it would be OK to have the content on your website provide general information alongside advice stating individuals can contact you by phone or e-mail to request more specific details.
The rights listed in Articles 15 to 22 are summarised in Articles 13 and 14, however there are a number of requirements only listed in Articles 13 and 14, so we need to make sure we cover them in our Data Protection Statement.
Identify The Controller
Firstly, we need to state who the data controller is, i.e. your company, and how to get in touch. We’ll come back to this information a few times later in the statement, so even more reason to be thorough here.
Your data that we discussed today is stored and used by Your Company Here Ltd. You can contact us on 0330 XXX YYYY between 9am and 5pm Monday to Friday. You can also e-mail us at email@example.com, or write to us at 10 Example Street, Exampleton, EX4 1PL. Our website is www.yourcompanyhere.com.
Identify the DPO
For companies requiring a Data Protection Officer, which we’ll discuss in a future post, you also need to provide a means to contact them specifically:
For any enquiries specifically regarding data we store about you, or how Your Company Here Ltd uses your data, you can contact our Data Protection Officer via e-mail at firstname.lastname@example.org or write to them at our company address marking your letter for the attention of the Data Protection Officer.
Business Purpose and Processing Reason
The next two requirements can be combined; the purposes of the processing and your legal grounds for processing. You’ll already have documented the purposes of the processing as part of the balancing exercise for the campaign, and if your legal grounds for processing is based on your business’ legitimate interests you’ll also have already documented a description of these legitimate interests. Both the balancing test and legitimate interests are discussed in detail in our previous GDPR blog post here.
Your Company Here Ltd is a business dedicated to providing consumers with excellent products and services. We only use your data to action orders you have placed with us, to contact you regarding your orders, and, should you agree that we may do so, to keep you informed of any future products or services we believe you may be interested in.
Or, if following up on an online application:
We use your data based on the consent that you provided to us when you filled out our application form on our website.
We use your data based on the consent you provided when you filled in the survey on Example Lead Company Ltd’s website.
Third Party Recipients
If you’ll be sharing the individual’s data outside of your organisation, you need to state who that will be, or categories of recipients if applicable. As consent needs to be specific, the basis for passing data to “categories of recipients” without naming specific companies would need to be one of the legal bases listed in Article 6, such as in order to fulfil the contract you are entering into with the customer. If you’re not going to share the individual’s data outside of your organisation, then it’s probably a good idea to say so:
We will not share your data with any other businesses.
Otherwise, something like:
In order to process your order we need to share your information with credit reference agencies.
Data Travelling Outside the EU
If applicable, you need to state whether the individual’s data will be travelling to a country outside the EU or to an international organisation, and whether this country or organisation is or isn’t covered by an “adequacy decision by the Commission”. This requirement goes on to reference Articles 46, 47 and 49, but the essence is that if you plan on transferring the data of an EU citizen to a country or company outside of the EU where data protection laws are less strict than those of the EU, you need to provide suitable safeguards yourself to ensure such standards are met regardless. If this sounds like it applies to you, then professional advice from a solicitor specialising in the GDPR would be money well spent.
Assuming you’re working with a company that does meet the EU’s adequacy standards, something along the following lines should do the trick:
As your order will be shipped from our warehouse in Country X, we will securely transmit limited personal data including your name, address and list of the items you have ordered outside of the EU in order to complete your order. Country X has international recognition as having adequate data protection standards as defined by the EU.
Data Retention Policy
Lastly in this section, you need to state how long you intend to keep the individual’s data for, or, if that’s not possible, you need to state the criteria that you’ll use to determine when you’ll delete their data. This might be something like:
We will retain details of your order for 6 years in order to comply with HMRC requirements.
After we have securely transmitted details of your order to our processing partner, we will retain your name, address, telephone number and order summary information for 2 years in order that we can stay in touch with you. If we have not communicated with you further during this time, we will delete the personal data we hold regarding you at the end of this period.
Obviously this will depend on the nature of your call centre’s operation and whether you are transacting the outcome of the call within your own company or you need to pass the customer’s details elsewhere to be processed.
Article 15: The right of access
Moving on, Article 15 deals with the right of data subjects (i.e. people who you store data about), to request details of:
- Whether you have any data regarding them
- What you use their data for
- If you intend to send that data elsewhere or if you have sent that data elsewhere and to whom (this is covered further in Article 19: Notification Obligation)
- How long you’ll keep their data for
- Where you got their data from, if not from them directly
- Details of all their rights relating to their data
You don’t need to provide this information as part of your Data Protection Statement, but you do need to let them know that they have this right. Something along the following lines should cover all the necessary bases:
If at any point you wish to see a copy of the data we hold on you, details of how we use and store your data, or receive further details regarding your rights, you can request this from us via phone or e-mail using the details I gave you a moment ago. Would you like me to provide our contact details again?
Article 16: The right to rectification
People will have the right to ask for their information to be corrected, to have incomplete information added to, or to have supplementary notes added to the data held regarding them.
It’s worth noting that Article 19 requires you to forward details of any such changes requested to any third parties that you have already passed the data to. This means you’ll need to keep accurate logs of what data has been transmitted outside your organisation and to what companies. This requirement also applies to Articles 17 and 18, coming up.
Anyway, you also need to tell customers about this right, so something simple as in the following should tick the box:
If any data we hold regarding you is incorrect, you may request a correction to your data at any time.
Article 18: The right to restrict processing and Article 21: The right to object
The “right to restrict processing” detailed in Article 18 allows people to request that companies or other organisations cease using their data either temporarily, perhaps while they arrange for their data to be corrected, or permanently, because they believe their data is being used illegally. The “right to object” covered in Article 21 also covers situations where individuals simply don’t want you using their data any more and you can’t justify using it regardless of their objections.
In the context of call centres, it’s likely that the individual may also exercise their “right to erasure” from Article 17 (we’re coming back to that), but they also might require that their data is retained, but not used, especially if they’re in the process of making a complaint.
In the event that someone does object to your use of their data, that only affects future processing. It doesn’t retroactively mean that any previous processing becomes illegal. So, something along the following lines in your compliance statement will satisfy both these articles:
You may also request that we cease processing your data at any time or to object to our continued use of your data. This does not affect any processing that has been carried out prior to your request being received.
Article 20: The right to data portability
This article is likely to be largely irrelevant for most call centre environments, but will be very relevant to companies like banks and utility companies. The right to data portability detailed in Article 20 means that the GDPR will force companies to share their customer’s information with their competitors, in an easy-to-use format, on the customer’s request. This will make switching bank accounts and utility suppliers etc much easier and should mean that you’ll be able to seamlessly take your transaction history from supplier to supplier.
The GDPR doesn’t state that this can be skipped if it isn’t relevant, so regardless, you’ll need to include something like the following:
You also have the right to request that we transmit all or any data we hold regarding you to a third party in a commonly used electronic format.
Article 17: The right to erasure (aka The right to be forgotten)
This is a personal preference, but I’d say that it makes more sense to talk about deleting someone’s data after discussing restricting processing. In fact, if you’d prefer to address any of these points in a different order than is listed in the GDPR then there’s nothing to stop you doing so, just as long as each is addressed properly.
The right to erasure, as detailed in Article 17, is a bit of a contentious issue, especially in the context of direct marketing. After all, if you delete all of someone’s data, what’s to stop you purchasing their data record again in the future and placing further calls to them? And if you did call them, and the customer complained, you’d have no record of them having requested the deletion, because you’d have deleted all their data. Presumably this situation would quickly get both tedious and dangerous as ICO enforcement actions tend to assume guilt before innocence in the case of aggravated consumers versus businesses with inconclusive record keeping.
The best way I see to get around this endless cycle is to simply inform the customer that unless they permit you to retain their phone numbers for your suppression list that you run the risk of exactly this situation. If they still don’t agree, then you have a couple of options.
Firstly, you could just advise them to ensure that all their numbers are registered with the TPS, and then carry on with the request according to their wishes. If you end up calling them again anyway, at least you have a documented policy giving them a workable means to ensure they’re not called again.
However, Article 17 states that you don’t need to comply blindly with requests to delete customer data. Paragraph 3(b) states that if you have a legal reason to retain all or some of their data then you can, although you will need to inform them that you intend to do so. This gives a second option where you could argue that you legally need to retain their phone numbers on your suppression list in order to comply with their request not to call them again. Ultimately we won’t know how successful this approach will be until it plays out in the courts or the ICO gives some more definitive direction, but it seems like a reasonable interpretation of the rules for now.
Article 17 also deals with the issue of organisations simply getting in the habit of deleting data automatically once they no longer have any reason to retain the data. How this relates to marketing data will be a matter for individual businesses to decide, but it will be far more applicable for more sensitive types of data held on your systems.
Anyway, as far as your Data Protection Statement goes, you could cover the related compliance requirements as follows:
You also have the right to request that we delete any or all personal data Your Company Here Ltd holds on you at any time. The only reason we would not carry out this request is if it would result in us being in breach of other legal or regulatory obligations we have, but we would always inform you at the time were this the case.
Lastly, there are a few additional requirements detailed back in Articles 13 and 14 that we still need to cover.
If you’ve called the customer based on them having given their consent for you to contact them, you need to let them know that they can withdraw their consent at any time and how to do so. It may be worthwhile reminding the customer as part of this statement that the consent they’ve given is restricted to specific purposes and is specific to your organisation. This would hopefully provide reassurance that your intentions for their data are good and to discourage them from withdrawing their consent in response to you bringing up the possibility. For example:
You have given us consent to use your personal data to contact you in the future regarding products and services from Your Company Here Ltd that we believe you may be interested in. We do not share your data with any organisations outside of Your Company Here Ltd and your data will only be used for the purposes we have discussed.
You have the right to withdraw your consent at any time. This wouldn’t affect any use of your data carried out up until that point, but would have immediate effect from when we receive your request. You can withdraw your consent by contacting us by phone or e-mail, or by writing to us using the details given above. Do you have a note of these?
Next, we need to let the customer know how to go about making a complaint with a supervisory authority, which in the UK is the ICO:
If for any reason you are unhappy with our use of your data and wish to lodge a complaint, you can contact the Information Commissioner’s Office as the supervisory authority within the UK. You can do so using their website at ico.org.uk by clicking the “Report a concern” link and then following the steps found on the page.
We also need to let the customer know whether the data requested is required to fulfill a contract, whether they’re obliged to provide the data, and what the consequences will be if they don’t provide the data.
While you do not have to give us permission to use your data, unfortunately we would be unable to fulfil your order without your permission and I would need to cancel your order.
Data profiling and, in particular, automated decision making (ADM) are substantial concerns within the GDPR, and profiling in the context of creating lists of data that meet given criteria in order to reach more appropriate potential customers falls squarely into the definition of profiling within the GDPR.
If you have narrowed the list of customers you are calling by means of profiling then you need to give details of the logic behind your profiling. This is to prevent situations where vulnerable consumers could be targeted with unsuitable products (for example, people with poor credit ratings being targeted with high-interest unsecured loans), although it’s unlikely that unscrupulous companies will fully comply with these regulations anyway. Either way, if you’re profiling your data, you’ll need to say something about the logic behind it, but it should be possible to do so in a way that sounds positive.
Prior to contacting you today, Your Company Here Ltd carried out limited data profiling using your postcode and previous order history to identify you as someone who might be both eligible for and interested in the savings we discussed earlier in the call.
And, lastly, if you have acquired the individual’s data from another company, then you need to say where you got their data from. For example:
Your name, address and telephone number was supplied to us by Example Data Company Ltd, a company based in the UK and approved by the Direct Marketing Association.
Or maybe something along the lines of:
Your data was provided to us by Sister Company Ltd in response to a survey you answered on the 15th of November.
Add in a quick “Do you have any questions regarding anything I just covered?”, and you’re all done!
New Rights, New Responsibilities
Altogether, that script took me about 3 minutes 40 seconds to read through, so while it’s not the longest compliance statement I’ve come across, it’s not trivial either. The good news is that you only need to provide this information to each customer once, so as long as your script includes a means to record when the statement was read to each customer, you’ll be able to avoid repeating the statement multiple times to the same customer.
When the GDPR comes into force on the 25th May 2018, it will be interesting to see how people respond to this profusion of new information and new rights. A lot of these regulations appear to have been written with giant Internet companies in mind. If you stop and consider how these new rights will affect companies like Google and Facebook, you may feel a little better about the inconvenience your own business is having to contend with. The novelty will wear off eventually though, and after a bedding in period I’d guess that your average consumer will be just as fed up hearing about their data protection rights and how their personal data is used as they are when they’re offered the chance to listen to someone reading them the Direct Debit Guarantee for the umpteenth time.
In other words, by the end of 2018, it won’t just be business managers and compliance officers who’ll be thoroughly bored of companies telling them yet again all about data protection and the GDPR. Everyone else will be too.