Organizations that assume GDPR doesn’t apply to them have it wrong – this new EU regulation impacts all companies that collect and manage data on European citizens, so any Nearshore providers that do so must be prepared.
The General Data Protection Regulation (GDPR) comes into full effect this Friday, May 25, addressing data protection and privacy for all individuals within the EU, in particular the export of personal data outside the EU.
It comes hot on the heels of multiple data privacy scandals and data leaks, most notably from Equifax and social media giant Facebook, and is ultimately a good thing for end users, as it positions data privacy as a human right in this digital age.
Still, Nearshore seems to be lagging behind in terms of preparedness for this far-reaching regulation.
“Despite the deadline being this Friday, I think very few organizations are 100% prepared for GDPR,” said Orson Lucas, Managing Director of Cyber Security Services, and Co-leader for GDPR services in the US at KPMG. “Instead, we see the majority of clients focusing on minimum viable products, looking at where they have a degree of exposure, where those impacts are, then focusing resources on those areas.”
According to Lucas, most organizations in the BPO space now fall under the “data processor” umbrella defined by the GDPR, meaning there is much more onus on them to be responsible for customer data. This is a problem as many small- to medium-sized companies don’t fully understand the breadth of the data they have, or what is happening with it – something that GDPR enforcement agencies may clamp down on.
“What we’re also seeing across a large percentage of clients in the Nearshore space is that the changes introduced by GDPR impact many of the fundamental business models in this practice,” said Lucas. “Call centers focus heavily on marketing and have a customer-heavy touch, so the opt-in now makes it more difficult for them to do business in their typical ways, though the degree of interaction may be much deeper.”
Practical Impacts for Outsourcing Companies
To comply with the GDPR, one global provider, CGS, implemented what is known as “data mapping” in order to understand what the company’s role is when it comes to the flow of data. According to the company, it is generally the systems and processes that are affected the most, while call center agents, for the most part, only need to be aware of what has changed.
Companies like CGS also need to partner with their clients to ensure that end users are giving their consent for contact centers to service them, from wherever they are in the world.
“We expect GDPR to have an impact in the contact center outsourcing world, especially in the outbound sales arena,” said Sebastian Menutti, Frost and Sullivan’s Senior Industry Analyst for ICT, Enterprise Communications, and Customer Experience in Latin America.
“Even though the past regulation in Europe – namely UE 95/46/EC – already established boundaries for outbound calls and personal data management, the new GDPR takes a step beyond to the digital world, and adds the explicit consent of the person as mandatory to use its personal information. This comes at a time when many BPOs in Latin America are developing strong digital marketing tools and might become a stone on the road for BPOs.”
The impacts reach the IT services side of Nearshore too, but are perhaps not as deep.
“The greatest impact we have seen so far is more on the marketing side than internally and in our relationship with our clients,” said Fernando González Aguirre from Belatrix Software. “As we’re ISO 27001 certified, we’ve not seen a huge impact there. We’re already very aware of the importance of intellectual property and have many processes in place to make sure all data is treated securely. However, we have had to adapt new policies mainly, and we’re facing the possibility of losing a considerable portion of our distribution lists.”
Nearshore Americas also reached out TCS, Teleperformance, and some smaller IT services firms to find out what impacts they had felt from GDPR, but due to scheduling conflicts they were unable to comment.
Preparing for GDPR
To get ahead of the GDPR, CGS assigned a dedicated Data Protection Officer (DPO), who would advise the controller or the processor on their obligations, monitor compliance with the GDPR, provide advice on data protection impact assessments, to cooperate and act as the contact point with the supervisory authorities, and prioritize activities/focus efforts on higher data protection risks.
“What we learned early on is that all organizations should create a core team to help drive awareness and compliance across all areas of the organization,” said Samuel. “At a minimum, the core team should have operational, legal, HR, and IT representatives, but, until the team is self-sufficient, having outside consultants can be helpful.”
It’s important to know that GDPR applies to expats that are EU citizens, or any part of a company’s customer base that is European, such as international banks that are located in the Nearshore.
“This regulation is exclusive for Europe, thus, in the short term, it will only affect BPOs interacting with European customers,” said Menutti from Frost. “However, Latin American countries usually look to Europe when it comes to data privacy regulation, and that means that a similar approach might be taken in the region eventually.”
For further reading and advice on GDPR compliance, services providers can check out this useful resource.