Creating A Gdpr Compliant Experience

What You Need to Know About Creating a GDPR-Compliant Digital Customer Experience

  • 11 mins read
Rob Verheul
by Rob Verheul
Managing Director

Graphite's Managing Director and a BIMA 100 winner. Also on the BIMA Young Talent Council, which is focused on creating a pipeline of future innovators in all areas of digital.

Published on Monday 21st May 2018

GDPR is now in full swing, meaning all companies serving customers living in EU countries need to adjust their customer experience (if they haven’t done so already) to comply with GDPR – and avoid hefty fines!

Some companies viewed GDPR as an unwelcome, time-consuming hassle that forced them to reshape their customer experience, but we didn’t see it that way. There are many benefits to the customer experience under GDPR.

Too many customers have been frustrated over the years by receiving emails, invitations etc. to things that they never signed up for; GDPR is here to stop this, ensuring a more transparent customer experience, which can only be a good thing for a company and its customers.

In this article we have provided tips and best practice examples that cover the whole customer lifecycle – from new registration to customer relationships that are coming to an end. Here are some thoughts that should hopefully help you to think about what you need to be doing.

New Customer Registration & Opt-Ins

GDPR means you’ll no longer will you be able to keep hold of all kinds of customer data for the long-term; you’ll need a reason for storing any customer information you keep, otherwise you’re putting yourself at risk for a fine of either 20 million euros or 4% of your global turnover (whichever is highest).

1. Complete transparency on what personal data is being used for

The days of ‘give full consent to everything before you use our service’ are over. All data you keep must be justified; customers will need to know what they are signing up for, and why you require this data from them.

Some valid justifying conditions are:

  • Consent – customers have agreed that you can do a specific thing with each piece of information
  • Contract – you need specific information in order to perform your service
  • Legitimate interests – you need some information to do business, e.g. emails of potential clients in order to contact them about work.

2. Enable granular controls for communication

Moving forward, you’ll need to give the customer complete control over the communication they receive. Break up your opt-in forms as much as you can to make it a breeze for the customer to select their contact preferences.

An opt-in example from Subway which gives granular controls

Subway Gdpr

3. Provide a clearly accessible consent separate from your other terms and conditions

Few people ever read a company’s terms and conditions – and who can blame them? They are always long and difficult to read. This is one of the issues GDPR is here to fix. With GDPR in full swing, companies need to prove that individuals have given their consent - so clarity in the opt-in user experience is essential.

This consent must be:

  • Concise, transparent, intelligible and easily accessible
  • Written in clear and plain language, particularly if addressed to a child
  • Free of charge.

Here's an example from the Data Protection Network which uses a slider to clearly indicate opt-in.

Dpn Opt In

4. Make sure it’s clear what you’re going to use their data for

The processing of personal data should be limited to ‘specified, explicit, legitimate purposes’. In other words, only do with people's data what they would reasonably expect you to do. A good rule of thumb is that they shouldn't find it surprising!

In order to demonstrate compliance, those explicit purposes should be documented.

Where the legal basis for processing data is consent

  • You need to keep a record of exactly what permissions the individual gave
  • You need to ensure we don’t use their data for anything they haven’t consented to
  • You want to use their data for something new, you must get further consent - more on this in the next point...

5. Ask for additional data and consent ‘just in time’

A new way of acquiring customer consent is the new ‘just-in-time’ notices. These are one of the many benefits GDPR brings as it helps to break up the customer journey, layer-by-layer, but also helps you comply with the ‘data minimisation’ requirement – where data processing should be ‘adequate, relevant, limited to what is necessary’.

Use ‘just-in-time’ notices to show pertinent information while the user fills out a consent form. This way, your notice will catch their eye and provides assurance as to what they are signing up for, and why it’s necessary to proceed in using your service.

A ‘just-in-time’ notice prototype from the ICO

Pn Cop Just In Time Notice Animation

Ongoing Customer Relationships

Your service may require additional information that your customers are yet to give as they navigate through your website/application. This is one of our favourite aspects of GDPR, as there are new ways to quickly explain why you need more information from them, in a discreet way.

6. Design your customer service workflow for subject access requests

It is a legal requirement that customers can now ask for all the information that you have on them, and to update their data. You need to create a workflow that enables this, with security protocols within it – you do not want to inadvertently provide data to someone who is not who they’re claiming to be.

Once an individual has submitted their request, they are entitled to be:

  • Told whether any personal data is being processed
  • Given a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people
  • Given a copy of the information comprising the data; and given details of the source of the data (where this is available).

All of this is to be delivered within 30 calendar days of receiving the request, which can be challenging if you work with other data processors, where you need to work with other partners to collate the data.

7. Give customers the ability to keep data up to date

Data needs to be ‘accurate and, where necessary, kept up to date’ - so giving your customers visibility and the ability to update the information is important.

When you are informed of an update to an individual’s data you need to update all your operational systems (e.g. CRM, line of business software, accounting software) with that new data immediately.

Where you find a piece of information is incorrect, e.g. returned post or bounced emails, you need to delete the incorrect data from all operational systems immediately.

This likely doesn’t apply to historical data where the purpose is to provide a historical record, but you probably need to think about what happens when restoring from an out-of-date backup.

8. Ensure customer data is held securely

It goes almost without saying, but the number of high profile hacking cases in the news, combined with the complexity of protecting your data means physical and electronic security needs to be a top priority.

Ending Customer Relationships

9. Unsubscribe means no

If you receive an opt-out or unsubscribe notification there are no grounds to refuse it. This can be quite hard for companies to manage as customer data may be in silos across the business, or even with external providers. Unsubscribes will need to be honoured throughout the business, so you’ll need to ensure your processes are clear.

10. Enable data expiration and review dates

Don’t assume that your customers want to remain customers forever, because GDPR means you can't keep hold of their personal data forever. Once you've used it for its original purpose you must get rid of it. Also, you need to know when you got the data originally and when your business no longer needs it.

Customers might forget about you, so build in an expiry process. It’s advised to warn your customers that the expiry date is looming, so they can re-activate their account periodically.

11. Enable data portability

Customers will require the capability to transfer the data out from your platform, allowing individuals to reuse their personal data for their own purposes across different services.

The benefit for customers is that allows them to move, copy or transfer personal data easily from IT environment to another – in a safe, secure way without affecting its usability.

As this is now a legal requirement, you’ll need to rethink how you handle data; the data is now customer property. LinkedIn, the popular networking website, has an easy-to-use system in place that allows its users to download their data in a clean format, that is:

  • Structured;
  • Commonly used; and
  • Machine readable

Things become a little more difficult if a customer speaks with a customer representative and verbally asks for their data. You must be thorough in verifying that the individual is who they say they are, and that they are fully authorised to receive the information, all while sticking to the 30-day period.

Another complication surrounds the data of others - if the requested information includes information about others (eg third party data) you need to consider whether transmitting that data would adversely affect the rights and freedoms of those third parties.

12. Provide the right to erasure

GDPR gives customers the right to request to have all of their data erased. However, this right is not an absolute; it only applies in specific circumstances.

A request can be made verbally or in writing. As this can be a complex process, a checklist is necessary to ensure requests are handled accordingly.

There are many factors to consider when a request is made:

  • When does the right to erasure apply?
  • How does this affect data collected from children?
  • Do you need to tell other organisations about the deletion of personal data?
  • Can this request be refused?

Read the ICO’s page on ‘right to erasure’ to familiarise yourself with the full scope of what’s to be considered should your company receive a ‘right to erasure request’.

Here’s a handy checklist from the ICO.

Ico Erasure Checklist

In Conclusion

We have looked at several key principles which align with a typical customer lifecycle, from: 

New Customer Registration & Opt-Ins:

  • Complete transparency on what personal data is being used for
  • Enable granular controls for communication
  • Provide a clearly accessible policy separate from your other terms and conditions
  • Make sure it’s clear what you’re going to use their data for
  • Ask for additional data and consent ‘just in time’

Ongoing Customer Relationships:

  • Design your customer service workflow for subject access requests
  • Give customers the ability to keep data up to date
  • Ensure customer data is held securely

Ending Customer Relationships:

  • Unsubscribe means no
  • Enable data expiration and review dates
  • Enable data portability
  • Provide the right to erasure

It goes without saying that you should consult with your own legal counsel in your part of the world, and that this list is a brief introduction to help guide you in creating a GDPR-compliant digital customer experience - but we hope it helps.

Examine your customer experience

It can be difficult to see all the opportunities within your organisation when you’re working inside it day in day out. This is why we run two Experience Workshops each month. These have helped many global organisations gain a fresh perspective on their customer experience to assess new opportunities.

Book your spot at a free Experience Workshop. Let’s assess your customer journey to see what we can do to add more value to both your customers and your organisation. Let us add velocity to your vision.