In the run up to May 25 this year many people, including me, were inundated with emails from companies asking them to opt in to their email marketing lists or informing them of their new data, security and privacy policies. This was all due to the fact that the long talked about General Data Protection Regulation (GDPR) framework came into force in Europe.

After the dust started to settle and my inbox had started to return to normal, I began to think more broadly about GDPR and what it really means for companies, their practices and the relationships they have with their customers.

That has led me to have a number of discussions with different people about the ramifications of GDPR and what that means for companies, particularly when it comes to delivering service to their customers.

Through those discussions I’ve been able to identify three different areas that don’t seem to be getting much attention in both the general discussion about the impact of GDPR and, more importantly, don’t seem to be part of the thinking of many organizations.

The first area concerns AI-enabled and automated decision making.

Rob Walker, Vice President of Decision Management and Analytics at Pegasystems, believes that “there is a danger that folks in Europe are being a little naive about what GDPR actually entails”. He says that while the regulations do cover areas like opting in and out of email lists and communications, the right to be forgotten and the right to query what data a company has on you, that is only part of the picture.

Another large part of GDPR that many companies are not factoring into their thinking is that every automated decision that is made by a company when it is dealing with a customer needs to be explained.

For example, imagine if a customer applied for a mortgage and they were not successful. If they then asked for an explanation of why they were not successful, your answer cannot be … the “computer said No” or “that’s how the system works.”

Under the new GDPR framework companies have to be able to explain the rationale behind the recommendations or decisions they make regarding their customers.

That’s not to say that many companies, particularly in financial services, are in contravention of GDPR regulations.

Not at all.

In fact, Rob believes that many of them are already ahead of GDPR practices, given how they handle data, technology, security and privacy as an operational risk.

But if you are an organization that is using advanced technology to automate decision making at different points of the customer experience then you would be wise to consider how those decisions and and recommendations are impacted by GDPR.

The second area concerns the collection of personal data in real time over the phone

Imagine a scenario where you have to call a company to order something new or make an adjustment to an order. After you place the order, the company’s representative then asks you how you would like to pay, adding that they can take payment over the phone. You say that will be fine and proceed to give them your name and credit or debit card details to finalize the order.

Is that personal data that you provided over the phone subject to GDPR?

Tim Critchley, CEO of Semafone, a leading provider of Payment Card Industry Data Security Standard (PCI DSS) solutions for contact centers, believes it is.

He says that any Personally Identifiable Information (PII) that is collected, particularly personal data that is collected in real time over the phone, is “absolutely subject to GDPR” and that companies need to “be thinking very carefully about about what they are doing with that data and that information, how they are storing it, how they processing it and how they are capturing it.”

Again, this is an area that is not receiving much attention in the discussion about GDPR, and there is a risk that it is being overlooked.

This risk can be largely eliminated through the use of technology that helps with data capture and also removes the personal aspects of the data. As Tim says, “you can’t be hacked for data you’re not holding.”

The third area concerns the recording of calls for quality, training and analytics purposes

I am sure that everyone, at some point or another, will have called a contact center to be greeted with a recorded message that says: “Your call may be recorded for quality and training purposes.”

Now, if all you are doing is using the recordings for quality and training purposes and are not capturing and storing personal information via those calls then the statement is probably fine under GDPR.

However, many organizations are now using advanced call analytics technology to allow them to categorize calls and capture call sentiment, among other things.

Is this sort of activity impacted by GDPR?

Tim Critchley believes that that’s definitely “something that’s worth reviewing,” particularly if you are capturing some sort of personal data through that analytical process, which you may not have explicit consent for.

Now, these are just three areas that I have been able to identify that have a direct impact on day-to-day customer operations. However, I am sure many more will emerge over time.

The point is that, as Rob Walker stated earlier in this piece: “folks in Europe are being a little naive about what GDPR actually entails” and many organizations need to start thinking more broadly about GDPR, what it means for their business, their business practices, their use of technology and their customers.

..

..

This post was originally published on Forbes.com here.

Thanks to Pixabay and Epic Ebike for the image.