The new EU General Data Protection Regulation (GDPR) comes into force in May 2018 and is designed to unify regulations and reduce inconsistencies between member states.
Under the new rules, data subjects will be able to sue for ‘pecuniary or non-pecuniary’ damages and non-compliance could lead to fines of up to €20m or 4% of the offender’s total worldwide annual turnover.
Current regulations came into force over 20 years ago and have been subject to widely differing interpretation by individual member states. The new GDPR is a Directly-Effective regulation which is designed to address this issue by side-stepping independent implementation. It should also make it easier for companies operating across the Europe to comply. Nonetheless, it still allows governments to legislate independently on some matters, which means that inconsistencies will still arise.
A new ‘one-stop-shop’ policy also means that multinationals should only have to deal with the supervisory authority in the state where they have their HQ.
The GDPR significantly increases the rights of individuals, for example, silence or pre-ticked boxes will no longer be sufficient to infer consent. Instead, permission will require positive affirmative action. In addition the time period for dealing with requests is reduced from 40 days to one month and the new concept of Accountability requires controllers to demonstrate how they comply with the new rules.
In essence then, there are more and tougher rules to follow, the consequences of non-compliance are potentially severe and it is easier for data subjects to cry ‘foul’.
GDPR and bxp software
bxp software was built, by contact centre operators, to manage all aspects of contact centre operations and there are a number of ways that bxp can help you manage this new situation. These include maintaining records of data processing activity which must now be made available for inspection by the Supervisory Authority. Another example would be the management of data records in respect of Storage Limitation. According to Article 89 personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
This is an easy area to overlook but not necessarily an easy one to manage, unless you are a bxp user. For example, bxp can be configured to wipe given fields in your databases on a scheduled basis. Alternatively it can automatically remove data that has not been interacted with in a twelve month period.
Depending on your campaign of course, and the purpose for which you are using the data, bxp can also wipe fields on a nightly basis which would give you the best protection possible.
We can also help with data that is not held on bxp because we can connect to legacy systems via API or SFTP, pull out and clean the out of date records and then push the scrubbed data back again.
At bxp were ready for the new GDPR and we can to help you to be ready too.
Please contact Chris Thomson on 00 44 207 692 0705 or Nick Wheeler on 00 353 1 429 4000