GDPR: A Great Catalyst for Enhancing Customer Experience · A Great Catalyst for Enhancing Customer...
Transcript of GDPR: A Great Catalyst for Enhancing Customer Experience · A Great Catalyst for Enhancing Customer...
AN EXL WHITE PAPER
GDPR: A Great Catalyst for Enhancing Customer Experience
Prakhar AgrawalCert. GDPR Practitioner, CIPT, CISM, CISA, PRINCE2Assistant Vice President, Consulting
Written by:
Appreciating the sheer amount of change
the GDPR entails, most companies
are adopting a risk-based approach to
compliance and prioritising areas that will
be compliant on day one of a post-GDPR
era. The prioritisation criteria a company
chooses is a sum total of many factors,
such as existing privacy maturity and
readiness, risk appetite, and the nature of
business.
A careful look beyond the extensive set of
requirements captured in the 99 articles
and 173 recitals will reveal that the rights
and freedoms of customers and staff
are at the heart of the Regulation. As
companies define their target maturity
state and compliance roadmap, there
is a tremendous opportunity for putting
forth their brand as one that customers
can trust. Come May 2018, the real
beneficiaries will be companies that put
customer experience at the forefront of
their delivery plan and approach, or in
other words, focus on data processing
activities that are likely to cause most
detriment to customers.
GDPR offers many ways companies can
enhance customer experience on their
path to compliance. Requirements such
as fair processing notices and consents
are indeed the flag bearers of that idea.
The core of customer centricity can be
summarised into three facets:
(1) Being transparent and fair
(2) Empowering customers
(3) Being responsible
GDPR is a tough regulation. Achieving and maintaining a target maturity state on May 25, 2018 will
require a collaborative investment of time and effort from all functions within an organisation.
With its many daunting requirements and challenging fine structure, GDPR is one of the top board
agenda items of every impacted organisation today. Most companies have already established their
compliance programmes to come out on the right side of this regulatory regime.
GDPR: A Great Catalyst for Enhancing Customer Experience
EXLservice.com | 2
Being Transparent and FairTransparency and fairness are foundational
pillars of the concept of privacy. Every
privacy regulation, including GDPR, has
these embedded in its set of requirements.
Under GDPR:
• As early as the first point of data collection,
a company will tell its customers upfront
in an easy-to-understand privacy notice
without any legal jargon and no fine print:
- What data it collects and how
- How it intends to use data
- Where it intends to store data
- Who it intends to share data with
- When it intends to dispose data
• Customers can make informed decisions
on whether they want to provide their data
based on what they can expect to happen
with their data
• Customers can indicate their agreement
to provide data by providing valid consent.
“Valid” under GDPR means informed,
specific, unambiguous, freely given, and in
some cases, explicit.
- Informed – Ensuring they read and
understood the privacy notice.
- Specific – Provides data for one purpose
but not another
- Unambiguous – A clear indication that
they have consented, such as through an
affirmative action.
- Freely given – Without any fear of
adverse consequences including refusal
of service. This is more applicable in case
of employee consent.
- Explicit – An explicit statement which
leaves no room for any confusion or
denial, such as by ticking a specific
consent box.
• Where personal data relates to more
vulnerable customers, such as minors
who may not be capable of providing valid
consent, the company will seek parental
consent.
• Where sensitive data, also known as
What data it collects and how
Where it intends to store the data
How it intends to use the data
100 1 0 1 1 0 1 0
0 1 1 0
Who it intends to share data with
When it intends to dispose data
GDPR: A Great Catalyst for Enhancing Customer Experience
EXLservice.com | 3
“special categories of data” of data
under GDPR, is involved, the company
will specify this in the privacy notice and
reassure customers of its adequate and
enhanced protection.
• The company will limit data processing
to the intended purpose and period
disclosed and agreed to by thecustomer.
Empowering CustomersBeing transparent and fair is not a one-and-
done exercise; it is rooted in a company’s
customer engagement practices.
Customers should be allowed to revisit their
inputs any time. This brings to light another
key facet, customer empowerment.
Under GDPR:
• A company will allow customers to be in
the mix at all times.
- Customers can change their
consent preferences at any time,
whether changing its specificity or
withdrawing consent altogether.
- Companies will allow customers to
request such changes easily and
diligently honour their request.
- Companies will offer adequate
granular choice and control to
customers when exercising their
consent preferences.
• Companies will enable customers to be
in control of their data and the way it is
processed. Specifically, companies will
allow customers to:
- Request a company to update their data
such as for a change of address
- Request a company to give them details
for all data it holds and processes
on them
- Request a company to erase their
data (or forget them, temporarily or
permanently) if they are unhappy with
how any of their data is held, other
conditions notwithstanding
- Object to or restrict specific types of data
processing, such as for direct marketing
- Request for human intervention in
an otherwise automated processing
(automated “decision making”, to be
accurate)
- Request for their data to be ported either
to them or to a competitor in structured
and reusable form, preferably via a self-
GDPR: A Great Catalyst for Enhancing Customer Experience
EXLservice.com | 4
service portal, thus avoiding potential
lock-in effects
• Companies will have in place a robust
and customer-friendly request workflow
mechanism and leverage it for timely
and efficient fulfilment of such customer
requests, providing regular status updates
and an escalation path when required
• Customer empowerment is incomplete
without the company providing them
privacy and security-friendly default
settings in all its products and services,
such as secure data transmission, no pre-
ticked checkboxes, and other methods
Being ResponsibleThe third, perhaps most overlooked, facet
is for the company to realise that customers
have entrusted it with their personal data.
This means the company is expected to
be fair, transparent, and act responsibly,
especially in confrontational circumstances.
Under GDPR, a company will not only
take utmost precaution to ensure its data
processing is accurate and secure as
per the intended purpose agreed with
customers, but also be prepared to:
• Promptly notify customers in case a data
breach that may cause them damage or
distress and advise how they can reduce
the risk and impact
• Provide clear instructions and
mechanisms for prompt and fair handling
of complaints, as well as share contact
details for its data protection officer
• Provide written responses in cases where
a company’s legitimate interests outweigh
customers’ rights and those rights cannot
be honoured
• Analyse and address any envisaged
risks and impact to customers prior
to undertaking a new data processing
operation via DPIAs
• Only engage with suppliers and third
parties that can provide at least the same
level of data protection and assurance
• Train staff to handle or process customer
data in the intended way
• Create awareness and promote a culture
that puts data privacy and security at the
forefront
GDPR: A Great Catalyst for Enhancing Customer Experience
EXLservice.com | 5
ConclusionMany companies are now getting serious
about their preparations for GDPR. There
is indeed an upswing in GDPR adoption as
25 May approaches. It is not surprising that
even as Information Commissioners Office
(ICO), the UK’s data protection authority,
recently posted on Twitter that, “…one of
the most significant days for your new
2018 diary will be 25 May - the day when
GDPR comes into effect...”. Most companies
are looking to undertake a risk-based
prioritisation approach in the run-up to
the deadline, as it is well acknowledged
that the amount of change is high and
there is a need to focus on some areas
more than the others. What to focus on is
a matter of choice, with many factors that
will drive this. One thing seems certain -
GDPR was designed to change the way
companies interact with customers. The
real beneficiaries will be companies who
put customers in the forefront on their
implementation plans.
From initial onboarding to end of
association, a customer journey is a multi-
step endeavour. The insurance industry
provides for a good example in that an
individual starts as a lead, turns into a
prospect, a quote is issued and accepted,
and then at this point the individual
becomes a policy holder. If the individual
files a claim during the course of policy
they become claimant, and so on. In
each role, the individual’s personal data is
processed in myriads of ways - sending
marketing emails and newsletters, issuing
automated quotes, anti-fraud checks,
health data processing, profiling and so
on. Customer experience starts at the
very first step. If the company embeds the
three facets described above of fairness
and transparency, empowerment, and
responsibility in its values, there will be
a greater chance of a lead turning into a
prospect, prospect into a policyholder and
policyholder renewing a contract, which
ultimately is the core business objective.
One of the most significant days for your new 2018 diary will be 25 May. The day when GDPR comes into effect. View our guide to the new regulation here: ico.org.uk/for-organisati ...
GDPR: A Great Catalyst for Enhancing Customer Experience
EXLservice.com | 6
GLOBAL HEADQUARTERS280 Park Avenue, 38th Floor, New York, NY 10017
T: +1.212.277.7100 • F: +1.212.277.7111
United States • United Kingdom • Czech Republic • Romania • Bulgaria • India • Philippines • Colombia • South Africa
Email us: [email protected] On the web: EXLservice.com
© 2017 ExlService Holdings, Inc. All Rights Reserved.
For more information, see www.exlservice.com/legal-disclaimer
EXL (NASDAQ: EXLS) is a leading operations management and analytics company that designs and enables
agile, customer-centric operating models to help clients improve their revenue growth and profitability. Our
delivery model provides market-leading business outcomes using EXL’s proprietary Business EXLerator
Framework®, cutting-edge analytics, digital transformation and domain expertise. At EXL, we look deeper to
help companies improve global operations, enhance data-driven insights, increase customer satisfaction,
and manage risk and compliance. EXL serves the insurance, healthcare, banking and financial services,
utilities, travel, transportation and logistics industries. Headquartered in New York, New York, EXL has
more than 27,000 professionals in locations throughout the United States, Europe, Asia (primarily India and
Philippines), South America, Australia and South Africa.