Digital CX - Fix your digital customer experience remotely
- Customer Experience
GDPR is now in full swing, meaning all companies serving customers living in EU countries need to adjust their customer experience (if they haven’t done so already) to comply with GDPR – and avoid hefty fines!
Some companies viewed GDPR as an unwelcome, time-consuming hassle that forced them to reshape their customer experience, but we didn’t see it that way. There are many benefits to the customer experience under GDPR.
Too many customers have been frustrated over the years by receiving emails, invitations etc. to things that they never signed up for; GDPR is here to stop this, ensuring a more transparent customer experience, which can only be a good thing for a company and its customers.
In this article we have provided tips and best practice examples that cover the whole customer lifecycle – from new registration to customer relationships that are coming to an end. Here are some thoughts that should hopefully help you to think about what you need to be doing.
GDPR means you’ll no longer will you be able to keep hold of all kinds of customer data for the long-term; you’ll need a reason for storing any customer information you keep, otherwise you’re putting yourself at risk for a fine of either 20 million euros or 4% of your global turnover (whichever is highest).
The days of ‘give full consent to everything before you use our service’ are over. All data you keep must be justified; customers will need to know what they are signing up for, and why you require this data from them.
Some valid justifying conditions are:
Moving forward, you’ll need to give the customer complete control over the communication they receive. Break up your opt-in forms as much as you can to make it a breeze for the customer to select their contact preferences.
An opt-in example from Subway which gives granular controls
Few people ever read a company’s terms and conditions – and who can blame them? They are always long and difficult to read. This is one of the issues GDPR is here to fix. With GDPR in full swing, companies need to prove that individuals have given their consent - so clarity in the opt-in user experience is essential.
This consent must be:
Here's an example from the Data Protection Network which uses a slider to clearly indicate opt-in.
The processing of personal data should be limited to ‘specified, explicit, legitimate purposes’. In other words, only do with people's data what they would reasonably expect you to do. A good rule of thumb is that they shouldn't find it surprising!
In order to demonstrate compliance, those explicit purposes should be documented.
Where the legal basis for processing data is consent
A new way of acquiring customer consent is the new ‘just-in-time’ notices. These are one of the many benefits GDPR brings as it helps to break up the customer journey, layer-by-layer, but also helps you comply with the ‘data minimisation’ requirement – where data processing should be ‘adequate, relevant, limited to what is necessary’.
Use ‘just-in-time’ notices to show pertinent information while the user fills out a consent form. This way, your notice will catch their eye and provides assurance as to what they are signing up for, and why it’s necessary to proceed in using your service.
A ‘just-in-time’ notice prototype from the ICO
Your service may require additional information that your customers are yet to give as they navigate through your website/application. This is one of our favourite aspects of GDPR, as there are new ways to quickly explain why you need more information from them, in a discreet way.
It is a legal requirement that customers can now ask for all the information that you have on them, and to update their data. You need to create a workflow that enables this, with security protocols within it – you do not want to inadvertently provide data to someone who is not who they’re claiming to be.
Once an individual has submitted their request, they are entitled to be:
All of this is to be delivered within 30 calendar days of receiving the request, which can be challenging if you work with other data processors, where you need to work with other partners to collate the data.
Data needs to be ‘accurate and, where necessary, kept up to date’ - so giving your customers visibility and the ability to update the information is important.
When you are informed of an update to an individual’s data you need to update all your operational systems (e.g. CRM, line of business software, accounting software) with that new data immediately.
Where you find a piece of information is incorrect, e.g. returned post or bounced emails, you need to delete the incorrect data from all operational systems immediately.
This likely doesn’t apply to historical data where the purpose is to provide a historical record, but you probably need to think about what happens when restoring from an out-of-date backup.
It goes almost without saying, but the number of high profile hacking cases in the news, combined with the complexity of protecting your data means physical and electronic security needs to be a top priority.
If you receive an opt-out or unsubscribe notification there are no grounds to refuse it. This can be quite hard for companies to manage as customer data may be in silos across the business, or even with external providers. Unsubscribes will need to be honoured throughout the business, so you’ll need to ensure your processes are clear.
Don’t assume that your customers want to remain customers forever, because GDPR means you can't keep hold of their personal data forever. Once you've used it for its original purpose you must get rid of it. Also, you need to know when you got the data originally and when your business no longer needs it.
Customers might forget about you, so build in an expiry process. It’s advised to warn your customers that the expiry date is looming, so they can re-activate their account periodically.
Customers will require the capability to transfer the data out from your platform, allowing individuals to reuse their personal data for their own purposes across different services.
The benefit for customers is that allows them to move, copy or transfer personal data easily from IT environment to another – in a safe, secure way without affecting its usability.
As this is now a legal requirement, you’ll need to rethink how you handle data; the data is now customer property. LinkedIn, the popular networking website, has an easy-to-use system in place that allows its users to download their data in a clean format, that is:
Things become a little more difficult if a customer speaks with a customer representative and verbally asks for their data. You must be thorough in verifying that the individual is who they say they are, and that they are fully authorised to receive the information, all while sticking to the 30-day period.
Another complication surrounds the data of others - if the requested information includes information about others (eg third party data) you need to consider whether transmitting that data would adversely affect the rights and freedoms of those third parties.
GDPR gives customers the right to request to have all of their data erased. However, this right is not an absolute; it only applies in specific circumstances.
A request can be made verbally or in writing. As this can be a complex process, a checklist is necessary to ensure requests are handled accordingly.
There are many factors to consider when a request is made:
Read the ICO’s page on ‘right to erasure’ to familiarise yourself with the full scope of what’s to be considered should your company receive a ‘right to erasure request’.
Here’s a handy checklist from the ICO.
We have looked at several key principles which align with a typical customer lifecycle, from:
New Customer Registration & Opt-Ins:
Ongoing Customer Relationships:
Ending Customer Relationships:
It goes without saying that you should consult with your own legal counsel in your part of the world, and that this list is a brief introduction to help guide you in creating a GDPR-compliant digital customer experience - but we hope it helps.
It can be difficult to see all the opportunities within your organisation when you’re working inside it day in day out. This is why we run two Experience Workshops each month. These have helped many healthcare and pharmaceutical organisations gain a fresh perspective on their customer experience to assess new opportunities.
Book your spot at an Experience Workshop. Let’s assess your customer journey to see what we can do to add more value to both your customers and your organisation. Let us add velocity to your vision.