The right to privacy has long been a concern in Europe, with laws going back over 30 years. The most recent directive, the General Data Protection Regulation (GDPR), was established to simplify the regulatory environment for international business by unifying regulations within the European Union (EU). It aims to give control of personal data back to citizens and residents.
However, those regulations fly in the face of best practices in managing complaints data. The need to retain data even after a complainant has severed a relationship with a company clashes with the GDPR’s principles of privacy by design and data erasure. Complaints departments need to be aware of the challenges caused by this inherent conflict as GDPR goes into effect in May 2018.
Even though consumers demand more personalized experiences, security and privacy concerns have a significant impact on their behavior. More individuals are exercising their privacy rights and taking a more critical approach in determining with whom they will do business.
A survey of financial services customers found that 74% are prepared to move to a competitor if their bank or insurer suffers a data breach. Customer churn has a significant impact on the overall cost of a data breach as well. Organizations that lost less than 1% of their customer base after a data breach had an average cost of $2.6 million, while those that lost 4% or more reported an average cost of $5.1 million.
As a result, more companies are realizing the need for ethical and privacy-compliant practices. Dissatisfied customers can severely damage an organization’s reputation and lead to regulatory attention and the potential for significant fines under GDPR.
Privacy by Design
Companies are required to hold and process only the data absolutely necessary for the completion of a specific purpose, as well as limiting access to personal data to those who need to actually do the processing. A number of industries have retention requirements for customer information that would exceed the scope of this section of the regulation.
In light of those conflicting standards, organizations must clearly communicate their retention requirements to consumers to meet the standards set by GDPR. Companies must also be prepared to provide customers with access to personal data in a format that is commonly used and machine-readable to comply with the right of data portability.
Customers also have the right to be forgotten, meaning the company is required to erase that individual’s personal data and ensure that any third parties with access to that information do the same. There are certain conditions under which this right can be exercised, i.e. the data is no longer necessary for the intended purpose under which it was collected, or the individual withdraws consent for processing. This right is subject to exemptions, such as the data being necessary for the establishment, exercise or defense of a legal claim, which would be the basis for the complaints department.
Reconciling these conflicting stances will be a priority for many organizations as they look to find a new normal under GDPR.