In anticipation of the General Data Protection Regulation (GDPR), I have met many IT managers concerned about the Right to erasure ('right to be forgotten'). Part of the suite of new personal rights, the right to erasure will allow all EU residents to request that companies delete their personal data. This can be ANYTHING that can identify an individual person, including their name, email, and interaction with a company, photos, geo-data, conversational history, or online posts. In short, this is a broadly encompassing right; with massive implications for almost all companies from giants like Facebook and Google, to even the smallest companies storing customer telephone numbers. With non-compliance resulting in potentially crippling fines, contact centers - who handle masses of personal data, are particularly challenged. Contact centers often operate multiple data recording and CRM systems simultaneously, the purpose of which of course, is to do the exact opposite of erasure. These systems are designed to remember and integrate as much customer data as possible. The GDPR therefore calls for a design overhaul of these systems, hence the horrified IT manager.
What Are GDPR Main Changes?
- The GDPR will supersede previous RTBF directives, to undoubtedly become the most advanced legal regime for the protection of one's personal data.
- RTBF is only one of tens of rights included in the new regulation, which will also allow customers to demand to know exactly what data organizations are holding, the right to rectify incorrect data, and the right of data portability.
- In terms of the right of erasure, the GDPR will give any individual the right to request the erasure of their personal data from anywhere in the union or globally when there is no compelling reason for its processing.
- Article 17 of the regulation outlines the different circumstances under which consumers can exercise the right to erase their personal data. If the organization has made personal data public and is obliged to erase it, they must take reasonable steps to inform anyone else processing the data that the erasure has been requested.
If businesses fail to meet their obligations, they face a maximum fine of €20 million or up to four percent of worldwide revenue, whichever one is higher. The British government will also enshrine the GDPR regulations into domestic law when the UK leaves the European Union. The great scope of the GDPR and much tougher punishments for those who fail to comply with new rules around the storage and handling of personal data, are causing IT managers' sleepless nights.
Gonzalez vs. Google
In a 2014 case opposing internet-giant Google, the European court of justice (ECJ) ruled that Google should remove prominent links relating to Mr. Gonzalez's previous bankruptcy, because they infringed on his right to privacy, and they were no longer relevant. At the time, the ECJ ruled that the media outlet could leave information on its website, but that Google had to remove the links to those pages from its index. So the feat for privacy applied specifically to search engines - but not data sources, and to outdated or incorrect information.
Worldwide Implications
The attention surrounding the Google vs. Gonzalez ruling also spearheaded universal debate about online privacy and freedom of speech. Empowering citizens with control over their personal information is not always an innocent venture - 60% of Europe-wide RTBF requests come from fraudsters, criminals and sex offenders. The case has also drawn more attention to privacy and consumer rights, which is at the heart the European Commission's proposal of the General Data Protection Regulation.
Prepare for GDPR
Looking at the Exabyte amount of data processed by contact centers every day, being ready to identify and extract single interactions based on customer ID or other personal data is no doubt a challenge. To address this pain point, and all the fine prints of the regulation, we have created a dedicated GDPR Solution, which leverages our market leading recording solution, dedicated privacy dashboards, and an advanced policy manager to simplify the processes related to RTBF requests. The solution also builds upon a mission-critical API that enables organizations to bridge siloes between different systems such as CRM and identify singe requests for RTBF. If you want to learn more about our solution, please click here, or book a demo.
What is your view about the latest RTBF upgrade – an advancement for the privacy cause, or an architectural headache? We would love to hear your views below.