The General Data Protection Regulation (GDPR) has been called the most important change in data privacy in years. The GDPR replaces existing privacy regulations and becomes effective in May 2018 across the European Union (EU). It will impact each company differently, but will affect contact centers that collect or process personal data of EU residents. The GDPR also differs from its predecessor in the significant penalties that can apply to non-compliance.
With the GDPR, gone are the days of blindly collecting personal data and afterwards coming up with novel ways to leverage that data. Gone are the days of notification with passive opt-out. Active consent to clearly defined business uses is the new requirement. In addition, your company must strengthen processes for information security and protection, including how you work with service providers.
NICE has been taking steps to strengthen information security for some time. In some ways this is very evident – as shown by our compliance audits and recent work to support U.S. government agencies using FedRAMP. In other ways these steps are behind the scenes and exposed through new product features or moving toward cloud systems.
So what can a company do to ensure compliance with the GDPR? The first step is to understand the personal data that you collect. You will want to understand the reason that it is collected, and the methods you use to segregate the data based on business use and the processes you use to manage the consent or other legal basis you are using to process that data.
What if, as many companies do, you utilize external service providers to process this data? It is important to understand that compliance is your responsibility. You should pick service providers that are prepared to help you be compliant and that are aware of and fulfill their own responsibilities. The service provider should clearly define what they will do, and what you must do, to ensure compliance. NICE uses this shared responsibility model to help our customers become compliant. We clearly share with you where our responsibility ends and yours begins.
However, we do not just leave you there. Our professional services group stands ready to help you implement your responsibilities. A great example of this shared model can be seen in managing customer consent. Assuming that your company determines that consent is required, you will need to obtain that consent. NICE CXone product features like pre-chat forms and IVR scripting can be used to explain the business purpose to your customers and to gather their consent. That consent can then be stored using CRM integrations for later use if you have to demonstrate consent was obtained. These features can be used directly by your staff, or NICE CXone professional services can help.
Another example of leveraging product features to meet your compliance goals is controlling data access. Your company may participate in programs like the EU-U.S. Privacy Shield just as we do. This program is one way that we comply with the GDPR internally and your company can do the same. If you do not then you may need to tightly control how customer data is accessed and even how the initial interaction occurs. You may need to restrict the agents that can interact with EU residents to those also in the EU. NICE CXone has the ability, under your control, to provide this kind of access and routing control.
NICE understands the critical need of your organization to be compliant with many regulations, including the GDPR. We are ready to help you meet this need through our own compliance, product features, support and professional services.
