Could a knock on effect of GDPR cause an avalanche of paper work onto an unsuspecting team of customer service and support teams?
I’m a bit worried about GDPR. At the moment, there are an increasing amount of awareness seminars, webinars and information events taking place in order to get businesses of all sizes to understand the far-reaching effects of this new data protection regulation – and they are doing a good job.
I’m not worried about CIOs getting the message and making changes, I’m also not worried about those that fail to comply and suffer the consequences of fines and damage to their reputation. And as for the changes needed within a business’s internal IT infrastructure to ensure that the legislation on how personal data is handled, stored, processed and transferred; well that doesn’t worry me at all.
I’m worried about customer service and support staff that may very soon be enlisted to undertake a potential avalanche of paper work that may be a side effect of GDPR.
One of the very positive elements of GDPR is that it places a lot of control back in the hands of the consumer. Any company that holds personally identifiable information, which means an actual living person can be easily identified form the data they hold in one, some or all of their data storage systems, has to make that data available to the individual. ‘Joe Public’ has a wide range of new rights over the data that pertains to them, which, according to a recent course I attended at the National Cyber Skills Centre, includes :-
- Right to information
- Right to access
- Right to rectification
- Right to be forgotten
- Right to restriction of processing
- Right to notification
- Right to portability
- Right to object
- Right to appropriate decision making
Details of exactly what they mean in practise can be found on the EU GDPR Info website, but in short it means that the individual is now in control. They can ask for copies of all the data a company holds on them, they can ask for it to be corrected and if they no longer want to deal with the business in question they can ask for it to be removed and receive acknowledgement that it has been removed. Should a company then contact them again with a ‘come back to us’ offer of new products or services, then they could be in very choppy legal waters.
So why does this worry me on behalf of customer service and support staff? Because at the moment these changes are not widely known by ‘Joe Public’. Admittedly under current data protection regulations they have had the right to obtain a copy of any data, from customer records to HR records, to internal emails that even mention them, through the use of a Subject Access Request, but how many people knew about this? With GDPR this access to data is now ‘super-sized’.
What will happen to a business of any size when at some point, a tipping point if you will, on these new powers granted to individuals becomes widely known. If a consumer TV show did a story about it, if a national newspaper ran a campaign on ‘taking back control’ (we’ve heard that before), or if even the Government ran an awareness campaign on these new rights in a similar way to how they have informed the public about everything from work place pensions, to road safety.
If that was to occur than many individuals would be writing to a company appointed Data Protection Officer and exercising these new rights. Could even a well-resourced company cope with an additional 10% customer workload relating to individuals asking for copies of data, edits to be made, or for it to be removed?
During the GDPR course I attended this potential administrative overhead was recognised as a challenge, but one that is not being discussed in detail as preparation for GDPR compliance is being undertaken.
Like many areas surrounding data protection and cyber security, this could be nothing more than a storm in a teacup. It may or may not happen. It could be ‘the end of the world’, or just ‘business as usual’. However, at this time nobody can say if it will or won’t happen.
But if a public who are frustrated with how they are bombarded with correspondence of all flavours from companies, decide to embrace these new rights then dealing with all these requests will no doubt fall on the shoulders of the customer service and support staff. This could be just a short-term solution as ultimately it would make sense for a company, once customers data is consolidated into one place, to allow ‘self-service’ to obtain copies of personal data and to allow a big ‘forget me’ button that can be pressed by weary individual.
Of course, my worry could be completely unwarranted and the public will not exercise these new rights and there will be no additional workload. But like all things cyber and data related it has to be worth having the conversation, wouldn’t you agree?