Effective data compliance and customer service free up businesses to do what they do best – business. Failure in customer service, on the other hand, can hinder sales and tie up staff. In worst-case scenarios this can lead to multiple Subject Access Requests, adverse regulatory scrutiny or even litigation.
The answer is an effective strategy that takes into account the issues around personal data. A company might have excellent customer services in all other aspects of their business, but failure to properly manage personal data enquiries can un-do all that work.
Many companies invest significant resources in, quite properly, preparing comprehensive Data Privacy statements, robust compliance policies and protocols. However, they are meaningless if they fail at first point of contact between staff and consumer. Businesses should aim to empower staff, even those who might receive queries about data, with a basic understanding of best practice. Employees who are aware of policy and the general provenance of the personal data held by their company, how it is collected and consumer rights, already have a head start. They are much likelier to provide quality customer service and mitigate complaints. Add to this the Golden Rule of don’t answer a question if you don’t know the answer but find someone quickly who can and a company has begun to demonstrate solid principles.
Forward-facing staff should anticipate the commonly asked queries: Where did you get my personal data? What right do you have to use it? You are holding my details illegally. How do you know how old I am? I demand to know ….
Whatever the question, the key for anyone responsible for handling consumer data queries is to embed quality customer service into your team, whatever the demands: do so and you will be rewarded. It’s easy to become exasperated by complainants, some of whom can appear vexatious. However, these sorts of customers can be engaged and won over and it’s often not difficult to do. Handling queries transparently, efficiently and above all sensitively and you will usually ease concerns, save time and even leave consumers with a more positive impression of your company. For example, careful management of people wishing to stop elderly relatives with dementia receiving telemarketing calls or the person who receives marketing mail-pieces from healthcare providers after a cancer diagnosis. These are all common complaints. But try also to be sensitive with those with seemingly more trivial concerns about the use of their data.
Transparency trumps opacity – for example some companies are tempted not to have clear customer contacts on their website, figuring that customers might simply give up looking. However, if they persevere by the time they finally reach you, a once placid customer has been needlessly transformed into Mr Furious. In any case, the new EU Data Protection Regulation will make opacity a more difficult path to choose.
Conversely, the transparent company isn’t one that over-zealously provides the customer (who simply asked; “Why have you got my details and can you stop using them?”) with far more than they asked for. Triage of complaints using capable staff is the key, and of course, smart disclosure may also be commercially prudent. Answering the query adeptly is often sufficient, and might prevent a time-consuming Subject Access Request – where you are left with no choice but to reveal all.
Transparency works best with clarity: insider jargon can be confusing or ambiguous. Unless it is a legal formal submission it helps to keep it simple. If you have to write, “we have suppressed your details,” at least explain the meaning of suppressed. For many customers it really does sound like you may very well use them again.
Transparency should be the theme from the beginning to the end and this includes not leaving customers in the dark – ensure they know how long you need to answer queries. It may be best practice to respond within 20 working days, but a customer left this long might vent their frustration on social media, causing avoidable reputational damage. If you need time, have the ‘holder email’ on standby, keep in touch with your customer and remind them you care.
Finally, tread very carefully when it comes to sharing personal data, especially if it is deemed “sensitive data”. Could anyone who shouldn’t get access to it? Ensure the person you are engaged with is definitely who they say they say they are and don’t be cajoled into providing personal data to a husband about their wife or vice versa. Bear in mind they just might be a journalist.
Skilful handling of personal data queries is like good anti-virus software: it prevents problems, ones that would only become apparent once you’d forgotten to update it.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.