Bethany works for a call centre.

They did not need a designated DPO under GDPR but want to carry out and evidence some checks to meet the Accountability requirement.  The Accountability Principle says that organisations should comply with the data protection principles and be able to evidence compliance.  Bethany and the senior management team have taken the view that this means putting a compliance framework in place.

The compliance framework at the call centre involves designating roles and responsibilities in relation to data protection, identifying what policies and procedures are required to safeguard data and comply with the data protection principles and undertake staff training so that everyone knows their role and what their responsibilities are.

Under GDPR, data protection compliance is approached on a risk basis: identifying the key risks to personal data and introducing measures to avoid or mitigate those risks.  The call centre has a high staff turnover and Bethany decides the main risk is that new comers may not have absorbed the privacy messages in induction training, so she sets mini tests for colleagues one week, one month and three months after their initial data protection training using the bank of questions in the DPO Support Package.

Bethany also tests managers by giving them the mini audit forms which test awareness of policies and procedures and where to find them.

Good move Bethany!

Updated 5 June 2018

Senior management take a decision to record inbound and some outbound calls to and from the call centre. Bethany helps the team to carry out a DPIA risk assessment. They agree that there are risks around:

  • Payment Card Industry compliance (not recording credit and debit card details);
  • fair processing and the need to keep people informed;
  • subject rights that might be exercised by staff and callers in respect of the recordings;
  • how long the calls will be retained; and
  • monitoring at work as the recordings will be used for quality control and staff training.

Bethany questions the underlying reasons for starting to record calls and the proportionality of the decision. Senor management decide to put the call recording project on hold and carry out some live call monitoring for a short period to ascertain the risk in the business. Then they will have evidence to support the decision to introduce call recording or will be reassured that call recording is not required.