Let me ask you a question.
As champion of your organisation’s customer experience and (for now, at least) the person responsible for ensuring you comply with the GDPR and new Data Protection Act, are you sending prospect and customers’ personal data outside of Europe solely to circumvent the laws on data protection?
No, of course not! I think.
But if any of your technology partners or services transfer, save or process personal data outside of the EU or EEA (European Economic Area), then you need to be clear about the legal basis on which you are doing this. And if you have intra-company transfers of personal data outside of the EEA and your organisation doesn’t have Binding Corporate Rules (BCRs www.ico.org.uk/for-organisations/guide-to-data-protection/binding-corporate-rules/) in place – which is unlikely as BCRs are tricky and expensive to establish – the same stipulations apply.
Read more …
Whether you have just started your preparations for the GDPR and the forthcoming new Data Protection Act or you feel it’s all sorted, you need to ensure your most important stakeholders – your frontline staff – are prepared. Your customer facing teams mark where your customer experience ambitions are either realised or frustrated. Whether dealing with customers face-to-face in store or in the field, or remotely in a contact centre, they are the face of your organisation. As such they will be the first port of call for customers looking to exercise their new and enhanced rights.
Read more …
Week #18 of your preparations for the GDPR (or the planned Data Protection Act 2018 in the UK) and its impact on your organisation’s customer experience. So, how’s it going?
My guess is that – unless your organisation has a strong Compliance function, which had already done plenty of planning for the GDPR before you got involved (some of which you may well have since disagreed with!) – you are now being treated as the company expert and ‘go-to’ person for all things data protection. As I assume you have plenty else to be getting on with in your own world of the Customer, then you probably don’t want to become the GDPR guide for everyone else.
Read more …
What’s black and white and never read? Your Privacy Statement, that’s what!
(or at least that has traditionally been the case – but things may now be changing)
As you’ll know, one of the key requirements of the GDPR and the new Data Protection Act is that organisations keep their prospects and customers (‘Data Subjects’, in legalese) informed. In fact, the first of the 8 Rights listed by the ICO is this one; the Right to be Informed.
An organisation’s Privacy Statement or Notice is typically the best way for an organisation to explain how it will process data. Traditionally, from a customer experience perspective, the Privacy Statement has been irrelevant. They’re lengthy (on average over 2,500 words – though iTunes’ peaked at 20,000 words in 2015) and no-one reads them. But in future people increasingly will. And if it’s not your prospects and customers reviewing your Privacy Statement, then rivals and and a growing band of people looking to make a living out of challenging brands’ data privacy compliance will!
Read more …
If you’re grappling with ensuring your organisation comes to terms with the customer experience-related requirements of the GDPR and new Data Protection Act and have been following the advice in these weekly blogs, then by now you have probably had lots of conversations, filled a few white boards and even changed some processes and customer journeys.
One of the 8 rights of data subjects (that’s prospects and customers to you and me) is that of Data Portability www.ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-data-portability/
In simple terms it requires that you support and allow the easy transfer of the personal data you hold on a data subject to a new service or product provider on their instruction. This right has generally got less coverage in the lead up to the implementation of the GDPR and new Data Protection Act than two other closely related rights – to Erasure (to be forgotten) and the right to Access (Subject Access Requests).
The Right to Erasure is one of the 8 key rights for data subjects enshrined in the GDPR and the Data Protection Bill (www.ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/). If you are responsible for ensuring both data protection compliance and a good customer experience, then how to manage the right to erasure – more commonly referred to as the right to be forgotten – needs to be high up on your list of GDPR challenges to address.
…but there can – and must – now be a free download.
Over the past few weeks we’ve identified a lot of tasks and questions for you to consider as you chip away at preparing for the GDPR and the new Data Protection Act. The amount of work or change these ‘bite-sized’ activities are likely to lead to will vary greatly from organisation to organisation.
However, if your firm’s marketing and acquisition of new prospects with future marketing permissions is heavily dependent on online content downloads (white papers, guides, infographics, etc) then the requirements of the GDPR may have a radical impact on you.
Will the GDPR hasten the demise of the big tech platforms?
The digital platforms have offered direct marketers a great alternative to traditional channels and activities. Now brands can identify, communicate with and sell to consumers through and with the help of Facebook and the others.
However, the brands and their digital agencies are operating in the platforrms’ closed worlds, according to their rules. And now the rules could be about to change…
Right, it’s whiteboard or flip-chart time again! Round up the usual suspects – sales, marketing, data and CRM heads, proposition owners, customer experience, technology – and get them to answer a couple of questions:
1. What customer personal data do we (or have we in the past) capture?
2. Where’s that personal data held?