“I DO”—POPPING THE GDPR CONSENT QUESTION
In the two years since the EU adopted the General Data Protection Regulation (GDPR), firms across the globe have been busy preparing to comply with the new regulations that provide data privacy protections to EU residents.
The regulations are broad in scope, covering customers and employees, and regulations around data breaches, data requests from individuals, when a firm can legally process data, and more.
For those in the contact center, GDPR can be particularly challenging, as the collection and processing of structured and unstructured data is critical to operations. It’s not surprising that with less than a month to go before enforcement begins on May 25, slightly more than half of all firms will not be fully compliant.
Unsurprisingly, our team has fielded a number of questions from customers about this topic, particularly around some of the more confusing areas within GDPR. In our experience, no area of the regulation has generated more confusion—or questions—than that of consent. So with this in mind, we’d like to provide an overview of common misconceptions around consent and point you to additional resources.
Before we begin, though—a note: Although some of us could debate a point for hours, most of us are not lawyers. Ultimately, it’s up to your organization to decide how to create processes that comply with GDPR. However, we hope we can provide inspiration for further investigation as you go through the process.
Why Is Consent So Confusing?
GDPR marks a radical change in how it approaches obtaining consent to collect and process consumers’ personal data. Instead of assuming that all customers are “opting in” by default, where the onus is on an individual to explicitly request that data isn’t collected or processed, GDPR switches to an “opting out” default, where the onus is on the firms to collect explicit permission from customers and employees to collect and process their data.
Based on our conversations, a number of firms have interpreted this to mean that they need consent for anything involving data—from recording to comply with regulations, such as Dodd Frank or MiFID II, to doing quality evaluations of employee calls.
But consent is only one basis for processing data—and you only need one. If you have another acceptable basis for processing data—and Article 6 of the GDPR legislation outlines all six of them—then consent isn’t required. Indeed, the scenarios described above are likely covered by a different legal justification. That said, you must disclose what you’re doing with the data, even if consent isn’t required.
Contact centers have plenty of reasons for recording and processing data—from regulatory compliance, to improving the customer experience, to optimizing operations. Those reasons don’t disappear with the enforcement of GDPR.