GDPR: The Good, The Bad, And The Ugly for CX

Posted by Rant & Rave

April 19, 2018

GDPR: The Good, The Bad, And The Ugly For CX! 

“In the twenty-first century our personal data is probably the most valuable resource most humans still have to offer, and we are giving it to the tech giants in exchange for email services and funny cat videos.” - Yuval Noah Harari

It’s so true, but don’t we just love those
funny cat videos? (don’t blame us if you’re distracted for the rest of the day 🐱‍👓)

With the General Data Protection Regulation (GDPR) closing in on us, wouldn’t it be nice to just ignore it all and get straight back to those funny cat videos on YouTube?

But with the May 25th deadline looming ever closer there’s just no ignoring the GDPR. Whilst the GDPR may feel like an insurmountable hurdle, it does herald in a new era of robust data management. For forward-thinking businesses that fully embrace the opportunity to deliver proper rigour to the capture, use, storage and management of customer data, the rewards for these efforts will be a vastly improved customer experience that is shaped by trust and transparency.

Want to become a CX superstar? Grab our latest Infographic: 7 Ways to Bring CX & EX Together, to find out how to truly go beyond the data and take action! 

We decided to put this article together to help address any questions or concerns you have about the impending legislation, with a specific focus on customer data and what this means in the context of the whole customer experience. Our hope is that you’ll have a clearer focus on what you need to achieve so you can continue doing what you do best - making customers happy.


What is GDPR?

By now, we’re hedging our bets that you’ve already consumed your fair share of GDPR related content, but for those looking for a recap, here it is… 

Know all about GDPR but want to skip forward to the checklist? Click here skip down!

The General Protection Regulation (GDPR) is a European Union legislation that replaces the Data Protection Act (DPA). These rigorous new rules require that all businesses handling data belonging to EU citizens, completely rethink and revamp the way they collect, process and store individual data, placing the control of personal data firmly back in the hands of the people. Those that fail to comply could face penalties of up to 4% of global revenue or €20 million, whichever is greater and dependant on the severity of the breach.

The GDPR is about so much more than simply complying with the legislation and avoiding these punitive damages. The new rules demand businesses to document the purpose for which they have collected EU resident data, how they’ve gained permission to hold it and whom they are sharing the information with. This in itself has the power to significantly impact the way in which businesses communicate and engage with customers.

Customers will be empowered to request a 360 degree view of any personal data an organisation holds with an understanding of how that data is used. Businesses will no longer be able to repurpose customer level data for profiling and direct marketing unless you’ve sought express permission from the customer to do this. If an individual has reason to question their relationship with you, they are well within their rights to withdraw their data and consent and exercise their “right to be forgotten”. Essentially, if you don’t tread carefully, your customer experience, as well as your bottom, line will suffer.


It's your responsibility to determine if you're a data processor, controller, or both

The preparations you need to carry out to meet the requirements of the new GDPR legislation will depend on whether you fall into the category of ‘data controller’ or ‘data processor’, but you may fall into both!

The definition of a ‘data controller’, is the individual or the "legal persons" such as companies, government departments and voluntary organisations that controls and is responsible for the keeping and use of personal data. According to Article 5 from the EU GDPR, the data controller “shall be responsible for, and be able to demonstrate compliance with, the principles relating to processing of personal data”. Put simply, this means that the data controller exercises overall control over the ‘why’ and the ‘how’ of a data processing activity. It is the entity that:

  • Obtains consent for using personal data.
  • Determines the purposes, conditions and means of the processing of personal data.
  • Is responsible for directing and controlling the actions of the data processor. Their role is to exercise control over the processing of personal data and ensure they are compliant on behalf of the processor.

If you hold or process personal data on the behalf of a business, but do not exercise responsibility or control over the personal data, then that makes you a ‘data processor’. A third party data processor is defined under GDPR as, “a natural or legal person or organisation which processes personal data on behalf of a controller.” Data processors will be organisations with whom you share personal data as part of your business operations or as part of any projects you may be running such as payroll companies, accountants, mailing houses or cloud providers.

To give an example, a customer using the Rant & Rave Platform to proactively communicate with customers and receive customer feedback is the data controller, whereas Rant & Rave is the data processor. However, Rant & Rave will assume the role of data controller when it comes to the data they own, for example, employee data.

The distinction is very important because ultimately, as a controller, you are responsible for ensuring that personal data is processed in accordance with GDPR. In terms of the data processor, they have their own set of obligations to comply with, ensuring that their data security is robust and that the way they control and store data is in line with the regulation.

Staying on top of data compliance is key so you can ensure that the data passed over to your data processors are fully compliant or you, as well as the data processor, will be liable. As it states in Article 83, fines shall be imposed regarding the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them.

A checklist for data controllers - ensuring customer data is compliant

The GDPR sets a business-wide challenge to review, and in many cases overhaul, existing strategies, processes and technologies. The key aim is to ensure your organisation complies with these new regulations and that it can retain and grow its customer data to nurture rather than sever customer relationships.

With just weeks to go now before the GDPR legislation goes live, it’s a good time to review the steps below and assess what remains to be done.

Do You Need to Appoint a Data Protection Officer?

Where appropriate, you may need to appoint a Data Protection Officer (DPO) to take responsibility for GDPR compliance, whilst this may have been the first step you took a while back it’s key that they’ve engaged with marketing and CX functions so they can ensure compliance without a sacrifice to customer experience. This is particularly important if your company processes or stores large amounts of data as the DPO is accountable for the entire data protection strategy.

Build a Robust Data Framework

Your data framework forms the foundation for GDPR compliance and the first step a DPO would take to get your business GDPR-ready is carry out information audits within all business areas that handle personal data. You will need a clear outline of what personal data is held and where, where it came from and who its shared with.

The onus is on creating a robust data framework where all the personal customer data held across the business is consolidated and overlain with procedures that effectively maintain these records.

Without this, how would you be able to quickly assemble and supply a 360 degree view of the personal data you have on an individual upon request? How would you notify a third party about an inaccurate data record you’ve found? A good data framework will place you in a good position to fulfill the requirements of this incoming mandate and keep you on the right side of the law.

Improve your Data Quality

Article 5 of the GDPR states that personal data must be accurate and, where necessary, kept up-to-date.

There are a multitude of variables that degrade your data over time; you’ll have contacts that change their name, job role and places of work, duplication of records across different systems, historical database roll outs and system consolidations will have contributed their fair share of data glitches and to top it all off, simple ineffective data management processes.

Cleansing the customer data you have is no easy task but, as part of regulatory preparations, businesses must work harder to keep data clean on an ongoing basis. New customer data filters through a whole host of sources; websites, direct sales, events, contact centres. You’ll need to establish a validation procedure at point of capture or entry to ensure all required information is captured without duplication as well as establish a way of systematically cleansing your data in an ongoing, automated basis.

Obtain Consent to Process Data

It’s vital to ensure that prospects and customers have expressed consent to your marketing communications. This is huge when it comes to communicating with customers and managing their expectations, for many this will be covered as it’s often written into contracts and terms and conditions. For others however, they may need to establish verification through a validation procedure, or otherwise ensure they can evidence clearly where and how an individual has opted-in, so that in the event of a request you can identify where consent was obtained and that you’re fully compliant.

To tackle this problem, you’ll now regularly see businesses rolling out opt-in strategies to obtain permission before May 25th, usually in the form of an email to gain clear opt-in consent to continue marketing to their contacts.

Consent to communicate is one thing, but businesses must also obtain consent for the use and tracking of personal data. You must demonstrate compliance by providing clear notifications across your online channels, informing users how their data will be used and stored and that to continue browsing they must accept these conditions, usually expanded upon across a privacy policy or terms and conditions. As potential buyers and customers travel across your online channels it will be key to ensure your communications are up to scratch, ensuring that a positive experience isn’t then destroyed by a lack of care regarding their data privacy or security.

Update your Privacy Statement

Your privacy statement should already be written in a clear and concise manner and inform readers of your identity and how you intend to use their personal information. The GDPR legislation however, requires you to modify your privacy notice further to disclose your lawful basis for processing the data and your data retention periods. It should also highlight that any concerns individuals have with the way their data is being handled can be raised with the ICO.

Protect the Data You Hold

A critical mandate of the GDPR is that organisations have the right procedures in place to detect, report and investigate a personal data breach. All data breaches must be reported to the supervisory authority within 72 hours and if the breach is likely to result in a high risk to the rights and freedoms of individuals, the data subject implicated should also be notified of the breach. Overall, the aim is to ensure accountability to protect your customers and employees.

Ensure your Third Party Data Processors are Compliant

According to Article 28 from the EU GDPR, “Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.”

The upshot is that as a data controller you are held accountable for any infringements to the legislation made by your third party data processors. It is therefore critical that you map out the data stored and processed by each of your data processors and that you seek guarantees from them that they are taking measures to comply with the regulations.

The steps they need to be taking are the same as those we’ve discussed for data controllers. They should be able to confirm the actions they’ve taken to become compliant, discussing where data is stored, who can access the data, and what security breach measures they’ve put in place.

As part of your assessment of each data processor, review their privacy policies and terms of use and look at GDPR statements they may have prepared. The GDPR also makes written contracts between controllers and processors a requirement so don’t delay in drafting and signing new contracts if the current ones don’t fit the bill.

How are Rant & Rave preparing for GDPR as a Data Processor?

Under GDPR regulations, data processors will be liable for data protection non-compliance. As we’ve highlighted, there remains an obligation on data controllers to ensure they thoroughly vet their data processors or both parties are at risk of penalties. So, we’d like to share the measures Rant & Rave have put in place to ensure we meet our obligations under the new directive.

Rant & Rave have always had strong measures in place around data security and compliance, for example, we obtained robust data protection controls in place back in 2015 as part of gaining our ISO27001:2013 certification. The new legislation has been welcomed in and we’ve worked hard to ensure that we meet the compliance deadline. We’ve reviewed our processes and tooling against the new requirements and are in the process of updating our customer contracts, insurance policies and data protection policies to ensure they reflect the necessary legal and procedural changes.

This includes amendments to our standard terms and conditions to reflect that with respect to our customer’s data, Rant & Rave are the data processor and that it is the responsibility of our customers as data controllers to obtain consent to send messages and obtain feedback, including Listening Posts.

Our existing contracts with customers will also be updated to clearly define our position and responsibilities as your data processor, providing clarity around the processing of data that you, as data controllers, have instructed us to perform.

One of the most critical areas of responsibility for data processors such as ourselves under the GDPR is around Data Protection and we have updated our Data Protection Policy to provide our customers with the necessary clarity and reassurance you need to continue working with us. Our Data Protection Policy now explains:


  • How data controllers can trigger our subject data access procedure and data erasure procedure. We are also putting processes and tooling in place to support this both from a data controller and data processor perspective.

  • Who our 3rd parties are, how, where and why they process our data and what data types we hold. As part of our ISO27001 certification we are already required to audit our existing suppliers every 3 years. To comply with the GDPR we are inspecting the information security and data protection controls of new suppliers and the project team are undertaking a supplier review, and amending existing contracts accordingly.

  • Notification process for data breaches. We are updating our security incident processes to notify affected customers (the data controllers) of data breaches as per Article 33.2 as well as the ICO.

  • Our data retention periods. We retain all fast feedback data online for the duration of the contract. We archive data every 3 months into backup archives.

Customers should also rest assured that we are focused on ensuring compliance as a data controller and as part of this, our legal team has been collaborating with the marketing department to understand the type of personal data we hold and how it is used. Changes will include ensuring explicit consent is sought from customers and prospects and we will begin to implement the EU cookie notification directive.

The Benefits of GDPR

The GDPR is forcing businesses to re-engage with customers, gather consent, and review and revamp data collection, cleansing and management processes and while this may seem like a long, pressurised and expensive process, forward-thinking organisations will seize this opportunity to revolutionise their customer experience.


Relationships Based on Trust

The Cambridge Analytica and Facebook data security scandal that is currently unfolding in the headlines is a timely reminder of much that is good about the GDPR and will no doubt be placing concerns about sharing personal data firmly at the forefront of consumers’ minds. Through GDPR compliance, businesses should seize the opportunity to prove to their customers that they are trustworthy custodians of their personal data and in our time-pressured world where customers seek quick and easy solutions, they will share their behaviours and preferences with organisations they trust.

Because the GDPR requires that organisations make it as easy for customers to withdraw consent as to give it, the onus is not only on you to earn this permission in the first place, but also to manage and maintain a transparent relationship long term. From these efforts however, you will find you have a genuinely engaged and loyal customer base.

Improve Marketing Performance

With the incoming GDPR regulation, companies will be required to hold and maintain clean, opt-in data. Yes, this will mean there is less customer data, but it’s excellent quality and potentially very detailed data, which lends itself perfectly to delivering highly targeted and personalised campaigns that really do engage customers. In fact, research conducted by the Royal Mail states that marketers cite good quality data as having the most positive impact on campaign response and conversion rates. Of course, lower volumes of customer data also means cost savings for marketers whilst their one-to-one campaigns raise ROI.

The GDPR also requires that individuals understand the purpose for which their personal data has been obtained before it is collected, which actually forces businesses to think more strategically about their reasons behind data capture else risk customers withdrawing their consent altogether. The end result is a more creative approach to marketing that places the customer firmly at its heart.

Serve your Customers Better

Since the GDPR stipulates that personal data held by businesses must be up to date, easy to completely erase and fully extractable should a customer request to see it, businesses have had to find ways to consolidate all the personal data they hold across the organisation into a uniform platform. Compliance aside, this wealth of customer information equips your business with a vital tool that can help your Marketing and Customer Contact Teams serve your customers better. You can pinpoint their needs, engage them in ways they prefer and spot early signs of churn in time to intervene.

Significant Cost Savings

Effectively complying with the GDPR may even deliver some unexpected financial benefits by way of technology cost savings. Culling and consolidating data may reduce data storage costs while there could be opportunities to retire legacy software and applications that are no longer relevant to your business. If you are able to automate data maintenance this will free many man hours in marketing and of course, higher-quality but lower volumes of customer data means marketers will save costs on communications and may be even improve ROI.


A final word

With the GDPR deadline creeping ever closer, we hope that this blog helps you figure out where you stand and what you need to do for both your customers and your business. Remember, the legislation brings about positive change so we should all embrace it and welcome in stricter rules that govern how our data is protected and used.

If you've made it this far and not yet watched any of those funny cat videos, here you go, we think you've earnt it!


Disclaimer: This blog contains opinions from Rapide Communication Ltd t/a Rant & Rave and other independent third parties on the GDPR to help you understand and identify some of the issues that your company may face to become compliant with the new legislation. However, this is not legal advice, your obligations and liability depend upon your own requirements and therefore you should seek your own legal advice to determine the extent of your own specific requirements and liabilities.

Topics: Customer Experience, Data Security

Recent Posts