GDPR FAQs from the Contact Center


Share on LinkedIn

In the wake of the May 25, 2018 GDPR implementation, businesses are left assessing their ability and requirement to comply with this regulation. The GDPR (General Data Protection Regulation) is a piece of EU legislation designed to strengthen and unify data protection laws for all individuals within the European Union.

This regulation applies to any organization that processes personal data of individuals in the European Union, whether or not the company is based in the EU themselves. It is currently effective and enforceable (as of May 25)!

Impact on the Contact Center

The GDPR primarily affects the everyday operations of any department within your organization who act as data controllers. The regulation regards data controllers as entities that collect data directly from data subjects.

Contact centers are without a doubt data controllers. So long as they interact with and collect personal information from customers in order to do their job. This means they must be mindful of the following responsibilities:

  • Satisfying their own data controller responsibilities as laid out by the regulation
  • Ensuring their data processors satisfy their responsibilities

GDPR FAQs Answered

Sparkcentral sat down with information security expert Barak Engel prior to the GDPR’s implementation date for a live webinar that dove into more specifics around the regulation and its impact on the contact center. You can watch the 30 minute recorded version here. Our live attendees had some very relevant questions for Barak that we feel many others would be curious about as well. Below I have highlighted five of these questions and summarized Barak’s answers.

Q. Will GDPR standards vary from domain to domain or is the same across domains? E.g. Healthcare, insurance, retail, manufacturing domains will all have the same GDPR standards.

Answer: Yes, the “G” in GDPR stands for general. It applies to any industry. There are some specific rules in Germany for telecoms which go above and beyond GDPR compliance and have a component of data sovereignty, but that’s an add-on. The GDPR itself applies to any industry.

Q. How will the GDPR affect data center storage and data sovereignty?

Answer: There is no data sovereignty component to GDPR itself. Which means that this whole idea that data has to stay in the EU in order for the company whose managing it to stay compliant, is just not true. In fact, the privacy commission, in the rules themselves, talks about cross-border transactions and the notion of moving data from within the EU to outside the EU. All within the context of GDPR.

Q. What if the contact center is a 3rd party? Are they still a data controller and not a data processor?

Answer: A 3rd party typically would be a processor. In order to be a controller you have to have the direct interaction with the customer, that’s the defining differentiator. It’s important to note that you can be a data controller in one context and a data processor in another. In many cases, an entity will act as both, but you draw a very narrow line between those roles. If you are interacting directly with data subject to a particular function then you are a controller.

Q. Can you compare the GDPR to any pieces of legislation from other countries?

Answer: The GDPR has done something quite brilliant here because it is a massive economic matter that has many people living inside of it. What is unique about the EU and how they structured the GDPR is that they kept both sides in mind, it really is attempting to be a fair standard. They want to support business moving forward but they just want to have a standard way of doing so to ensure everyone is on the same page. In that respect, there really isn’t anything quite like it anywhere in the world.

Q. Is it necessary to regain customers’ consent for existing lists?

Answer: This is one of those issues that is not fully resolved within the regulation. There isn’t a clear-cut answer to this one unfortunately, there are a lot of questions about how to handle things from the past. With that said, the intention is to have organizations apply these standards retroactively if a customer were to request you forget their information. It’s all about fairness here.

Kelsey Brazill
Kelsey Brazill’s passion for digital customer engagement was sparked by social media management roles she held when starting her career in New York City. Her focus has since shifted to field marketing but customer engagement has remained central to her work. As Digital and Field Marketing Programs Manager for Sparkcentral, Kelsey is leveraging both her digital and field marketing experience to champion effortless customer experience through the leading social and customer engagement platform.


Please use comments to add value to the discussion. Maximum one link to an educational blog post or article. We will NOT PUBLISH brief comments like "good post," comments that mainly promote links, or comments with links to companies, products, or services.

Please enter your comment!
Please enter your name here