Case Study - Call Centre Data Protection Officer Updated

Case Study – Call Centre Data Protection Officer Updated

Bethany works for a call centre.

They did not need a designated DPO under GDPR but want to carry out and evidence some checks to meet the Accountability requirement. The Accountability Principle says that organisations should comply with the data protection principles and be able to evidence compliance. Bethany and the senior management team have taken the view that this means putting a compliance framework in place.

The compliance framework at the call centre involves designating roles and responsibilities in relation to data protection, identifying what policies and procedures are required to safeguard data and comply with the data protection principles and undertake staff training so that everyone knows their role and what their responsibilities are.

Under GDPR, data protection compliance is approached on a risk basis: identifying the key risks to personal data and introducing measures to avoid or mitigate those risks. The call centre has a high staff turnover and Bethany decides the main risk is that new comers may not have absorbed the privacy messages in induction training, so she sets mini tests for colleagues one week, one month and three months after their initial data protection training using the bank of questions in the DPO Support Package.

Bethany also tests managers by giving them the mini audit forms which test awareness of policies and procedures and where to find them.

Good move Bethany!

Updated 5 June 2018

Senior management take a decision to record inbound and some outbound calls to and from the call centre. Bethany helps the team to carry out a DPIA risk assessment. They agree that there are risks around:

Payment Card Industry compliance (not recording credit and debit card details);
fair processing and the need to keep people informed;
subject rights that might be exercised by staff and callers in respect of the recordings;
how long the calls will be retained; and
monitoring at work as the recordings will be used for quality control and staff training.

Bethany questions the underlying reasons for starting to record calls and the proportionality of the decision. Senor management decide to put the call recording project on hold and carry out some live call monitoring for a short period to ascertain the risk in the business. Then they will have evidence to support the decision to introduce call recording or will be reassured that call recording is not required.

About the Author: mandy.webster

Since June 1999 Mandy Webster has been a freelance consultant offering audit, advice and training on privacy, information security and e-commerce issues as Data Protection Consulting Limited. The company’s mission is to help clients from a variety of sectors, and of all sizes, comply with data protection law and to that end it offers a range of solutions. Mandy, a qualified lawyer, is author of ‘Data Protection for the HR Manager’ and ‘Data Protection in the Financial Services Industry’ published by Gower and “Effective Data Protection” and ‘The ICSA Data Protection Troubleshooter’ published by ICSA Publishing Limited. Mandy is a well-known writer, commentator and speaker on data protection.

Case Study – Call Centre Data Protection Officer Updated

Updated 5 June 2018

Fine reduced on appeal

How to be a Compliance Auditor

Data Protection fine for failure to appoint EU representative

Review of GDPR Right to be Informed

Data Processing Agreements

Case Study – Call Centre Data Protection Officer Updated