customer management the de facto verification for smartphones. currently 15 million uk customers...
TRANSCRIPT
Customer ManagementINTELLIGENCE - JANUARY 2018
IncludesWill customers soon start charging you for their data?
Is there value in helping consumers manage their digital identities?
Has the tide turned against the data giants?
SECTOR DIGEST
Sharper appointments with robot HR
The lessons learned around chatbots in the customer service industry are being picked up in talent acquisition. HR Technologist reports that chatbot technology is increasingly being used to screen candidates for roles, and the machine learning techniques previously developed to analyse customer behaviours are now being applied to sift through large volumes of data to seek out suitable talent and predict aptitude.
RECRUITMENT
TECHNOLOGY
SECTOR DigestDS
94 per cent of Americans “dread contacting customer support” …but they still like having a human at the end of the phone. In a recent study by market researchers Propeller Insights, customers cited long wait times, constant transfers between departments and poorly briefed agents as pet hates. Consequently more than 50% of the 2000-plus consumers quizzed said they were looking forward to more help from chatbots (the subject the research was originally commissioned to examine). However, when they got it, they were largely disappointed. Only one in five thought chatbots actually helped, and 63% said that after trying them, they’d rather go back to the old ways and put up with the long wait to speak to a real person.
Messaging makes headway in the salesBlack Friday and Cyber Monday are fast turning into messaging events. LivePerson, who supply cloud mobile and business messaging solutions, said it recorded a 188% increase in first-time messaging conversations in the recent sales blitz, indicating that customers are increasingly turning away from 0800 numbers. Not surprisingly most deal hunting continues to be done online, but LivePerson’s data also revealed that passionate consumerism often has little regard for personal solvency. Online traffic to retail sites on Black Friday soared by 210%. Online visits to check bank accounts? By just 88%.
CUSTOMER MANAGEMENT
RETAIL
8 handy AI starting points
If your business feels it could be time to dabble in Artificial Intelligence and machine learning, where should it begin? AI experts at ComputerWorld have identified the eight most useful places to start.
1. Build a chatbot: it’s good practice.
2. Automate your marketing: such as customer recommendations.
3. Reduce fraud and cybersecurity risks: using analytics to spot unusual activity.
4. Smarten up your inventory planning: more accurate sales predictions will lead to better supply chain management.
5. Analyse travel and logistics: better routing of meetings and client visits will ensure more efficient use of employees’ time.
6. Smarter maintenance: predict failures before they happen.
7. Recruitment: AI could fine-tune your ads to attract the best candidates.
8. Improve workplace safety: sensors and cameras can keep track of equipment and workers to spot someone using gear they’re not qualified for.
No more 1234
If not quite dead by the end of year, the password will still be a sickly creature. So predicts Deloitte who see 2018 as the year biometric ID becomes the de facto verification for smartphones. Currently 15 million UK customers have smartphones with fingerprint scanners – about 36% of the user base – and 80% of those use them. Only 3% are using facial recognition, but Paul Lee, Head of Research for Technology, Media and Telecoms at Deloitte, sees that situation changing rapidly. “By the end of 2018 it is likely that 3D facial recognition will be used more frequently than fingerprint scanners in smartphones,” he wagers. Meanwhile passwords are becoming ever longer and more complex in order to compete in terms of security, and are destined to fall out of favour. Mind you, if hackers steal your password you can change it. If they steal your face…
About this rash...
By now GPs are used to patients turning up at the surgery, convinced by a panicky scan of the Internet that they’ve developed some exotic and life-threatening disease. So it will be interesting to see how they welcome Microsoft’s announcement of a ‘Health Bot’. It will give patients self-service access to health information, to check symptoms and recommend care based on what Microsoft terms “authoritative medical content”. The US project is aimed at reducing treatment costs for medical insurers.
How does customer service compare between the public and private sectors?
Analysis of nearly 2000 psychometric questionnaires, filled in by customer agents from both sides of the divide, show intriguing differences according to training and development consultant Dr Laura Olcelli. Advisors representing government agencies are more likely to be optimistic and less likely to be stressed than their private sector counterparts. Dr Olcelli thinks that’s partly because they see it as a job for life with a generous pension at the end, but also because public sector agents are less driven by targets and handling-time pressures. Public sector teams also score higher on emotional intelligence. That could be because they get more practice dealing with a greater range of difficult and emotionally taxing enquiries during the day.
SECURITY
HEALTH
CUSTOMER MANAGEMENT
More to be squeezed from CRM
Sales reps using a CRM system could claw back an average of six weeks a year lost to admin if they embraced automation. Research firm Opinion Matters discovered that while CRM software spend is increasing, much of the automation it offers can be ignored by reps who still favour manually updating their records or entering prospects phone numbers. Old habits die hard…
SALES
SECTOR DigestDS
SECTOR DigestDS
Machines could save time if they did the talking
IT decision makers are convinced that the way to improve customer experience is to have machines talking directly to humans, of their own volition. Of the 2,500 surveyed by Opinium for telecoms business Mitel, seven in ten saw a future where devices directly contacted staff or customers when a threshold was triggered, then automatically routed the information to the right person as a way of pre-empting problems and boosting customer responsiveness and issue resolution.
Execs and customers don’t see eye-to-eye on AI
Nearly three quarters of consumers are nervous about AI infringing on their privacy, says a study by professional services firm Genpact. Around 60% believe their government should do more to specifically protect data from AI. However, a similar Genpact survey within businesses shows this runs counter to company attitudes where 88% of senior executives are convinced AI is the way forward. In fact in some instances, eg chatbots, executives were more than three times as keen on the technology as the consumers they serve professed to be.
TECHNOLOGY
BUT...
The five big trends of digital customer engagement for 2018
According to contact centre technologists Sabio they are…
1. Virtual assistants becoming a customer’s first point of contact with an organisation
2. Messaging services continuing to boom
3. Connected products triggering new levels of customer service demand
4. Regulatory pressures from both GDPR and MiFID II (Markets in Financial Instruments Directive) requiring a complete customer data rethink
5. An increased focus on user experience as a part of successful customer journeys
CUSTOMER MANAGEMENT
Messenger gets a customer management boost
November saw Facebook release Messenger Platform 2.2, and the latest version has some useful advances relevant to customer management. Key is the introduction of a customer chat plug-in that enables customers to flip their conversations back and forth between a company’s website and Messenger, without loss of context or history. 2.2 will also support platform capabilities such as payments, NLP and rich media. It’s currently in closed beta, with companies from Argos to Air France testing it before a wider role out.
INTERACTION
Five potential hotspots in the personal data revolution, from Capita experts and independent innovation researchers
Managing who we are
"There is no new value to be gained in just harvesting and hoarding data from empowered individuals. It doesn’t work that way."
IDEN
TITY
I think one of the interesting developments around personal data will be how 2.0 businesses learn to treat it differently from traditional ones.
For example, banks evolved their digital approaches in a number of steps. First they got a website. Then they got us to fill in forms for them behind the scenes. Then they cut out the middleman and we started to move our money around ourselves. Essentially, we do some of their work for them.
But that is a very different attitude to how the challenger banks are looking at data. They are creating tools that enable people to make better financial decisions. Where traditional industries are still thinking in terms of collecting individuals’ data and using it to commercial advantage, 2.0 businesses are embracing the networked society and thinking about how they can give you tools to use your own data in better ways.
They recognise that new value is driven by empowering networked individuals and connecting them together so they can evolve that value. There is no new value to be gained in just harvesting and hoarding data from empowered individuals. It doesn’t work that way.
Making better data decisionsMeanwhile a lot of us continue to make bad choices with our personal data - not paying enough care or attention to it - but I have to believe we will start to get our act together. I do think younger generations are getting better at appreciating the value of their data, being more analytical about it, and hopefully more rational.
And I think the time could be right for a wave of personal identity management tools to become popular. They’ve been around for a few years – Yoti is a good example – but in most cases they were solutions that came to market too soon.
But now could be their time as there are certainly signs that some large organisations are starting to get more muscular about who owns your identity – you or them, because they hold all the data?
I think some of the coming disruptions around personal health and the quantified self will drive those conversations as people realise companies are building up quite a store of personal health data around them, and they’ll begin to wonder what’s happening with it.
The question then is who acts as your identity custodian? I don’t present the same face to every organisation I deal with. I want to be a different person in different places, and I want that decision to be within my power, not someone else’s. Personal identity management will allow me to do that.
BECAUSE IDENTITY IS IMPORTANT, AND YOU SHOULD BE MORE THAN JUST EVERYTHING YOU’VE EVER BOUGHT, AND EVERYWHERE YOU’VE EVER BEEN.
Capita’s Digital Innovation Director, Dr Catherine Howe, reflects on the growing need for us to manage our digital identities, and how business may shift to adapt.
Dr Catherine Howe
Digital Innovation Director
SECU
RITYSEC
URITY
The search for a personal data guardian
“How many tech giants would fold and services go offline if consumers simply withheld their data?”
Decode is a European Commission funded project aimed at giving consumers a fresh set of tools to take control of their personal data. So how far ahead are they thinking, and what type of future do they predict?
In 2017 the Decode consortium of 14 European organisations – ranging from technology centres to IoT and software providers – began their research and a series of pilots with the aim of reporting by 2020 on how people can take a firmer grip on their place in the data economy.
UK representatives in the consortium include the Information Security Research Group of University College London, and innovation foundation Nesta. (Decode snappily stands for Decentralised Citizen Owned Data Ecosystem, if you were wondering.)
What Decode has in mind is the creation of a series of practical tools that should enable people to:
� specify in very fine detail exactly how their data is shared and with whom
� be able to continue the authenticated digital participation we enjoy today, but without revealing private information to do it
� find a way of enabling personally gathered Big Data to be used for social good, without impinging on individual data rights
Loosening the grasp of the mega-corporationWhile some of this can be done at present, Decode argues that, notwithstanding GDPR, it is often not enacted in a privacy-preserving way that first and foremost puts people in control of how their data is used.
For example, as part of its report on the project, Nesta took issue with how mega corporations such as Google and Facebook exhibit an enormous hold on the infrastructure that is the Internet economy, but are effectively unaccountable.
“Their business model relies on asking users to trust platforms absolutely, yet companies benefit from opacity and lack of transparency around where they make their profits from data.
“The use of personal data as a commodity has amplified in scale and complexity, leaving regulators struggling to catch up. People have surrendered their personal data and have limited control over how this is used. This has led to a strong market concentration in the digital economy with a handful of platforms being able to gather, aggregate and analyse a large amount of data.”
Google, for example controls 90% of the search market, and Facebook boasts a penetration of 89% of all Internet users.
“Five hundred million adblock downloads is a
symptom of a market which isn’t working well for people,” Nesta concludes. “As the Internet has grown, the data which enables the Internet economy to function has departed from the control of the people who generate it.” If you doubt that, then just consider how many tech giants would fold and services go offline if consumers simply withheld their data, they argue.
When dealing in data becomes too riskyHowever Nesta at least sees GDPR as a sign that the tide is turning, and that cavalier attitudes towards the use of consumers’ data could become a much less attractive business model.
“The cost of holding personal data will become more expensive as regulations become more onerous and the price of getting it wrong could disincentivise companies from holding such data,” it asserts.
For the moment it will be the good people of Amsterdam and Barcelona representing Europe’s consumers in this study. Four pilots will look at the ‘philanthropisation’ of data, seeing how it can be shared and blended for the common good, but also how residents can take back control of processes disrupted by data driven businesses.
The somewhat archly named FairBnB has a fairly obvious target in its
sights. (AirBnB has been criticised in Amsterdam for pushing up rents and restricting access to data about hosts who break local legislation.)
Bringing sense to automated decisions
Nesta also refers to the ‘tyranny of the algorithm’ where the analysis
of trivial information can be used to leap to largely senseless conclusions over which the public has no control. (An issue also addressed in GDPR.) They quote the research experiment with Facebook ‘likes’ that determined favouring curly fries was a strong indicator of high IQ.
‘The tyranny of the algorithm can mean leaping to conclusions over which the public has no control’
Amusing until you start running gender, sexuality and ethnicity through the same programme, or, as in the example of one US credit card provider, using information on expenditure around marriage counselling and psychotherapy to set credit limits.
“These examples suggest that data is being used beyond what could be fairly assumed as the scope of its original collection, to inform value-laden decisions which could exclude particular groups from vital products and services.”
Then there’s the privacy paradox; the fact that every time a survey is taken, consumers seem ever more concerned about their personal data not being secure, but then rush to throw swathes of it at organisations in return for free services and discounts which are often trivial at best.
And somewhere in Decode’s motivation lies the fear that today’s dominant internet platforms will grow to such powerful monopolies on the back of consumer data that choice and competition will be squeezed out. New companies will find it impossible to gain a foothold when so much data has already been landgrabbed by the giants.
How personal data could look by the 2030sLooking to the future Decode has chosen 2035 as the year for its data TARDIS to land and see what the landscape looks like.
In this age, it hopes, most people will have their own personal data portals, stored on home servers, with businesses given access only through their permission.
In the years leading up to 2035, governments and enterprise have come to question the wisdom and expense of holding personal data, with rising fines often extinguishing any monetisation value. Instead they focus on how they can use people’s data only when required, rather than storing it themselves.
A series of huge (and inevitable) data leaks involving health and biometrics information have resulted in irreversible mass data identity fraud. (You can change your password, but not your fingerprints.) Meanwhile a number of successful cyber attacks on data silos have finally convinced the public that server farms are the last places where their information is likely to be secure.
As a result a wave of new technologies materialise to enable people to simply and securely manage their own data, a process eventually encouraged by corporations who increasingly see holding personal data as too high a business risk.
That’s the good picture of data sovereignty. The bad one?
“The amount of data created by any person who uses connected devices is magnitudes larger than people’s current digital footprints. Location data of every place someone has ever been, everything they have ever bought, the time they spent hesitating over their choice to buy, the details of their mood, levels of hunger, tiredness and frustration at the time, their full medical record and genomic information, a catalogue of photo and video data linked together by facial recognition larger than an existing library, granular details of their academic and employment history, every relationship, every public statement and every online interaction…” All accessible - and under someone else’s control.
Decode’s five key objectives
1. Provide alternatives to current dominant Internet platforms offering a more democratic approach to creating and sharing economic resources.
2. Effectively using an extended range of data coming from people, sensors devices and the city to enable collective, bottom-up decision-making.
3. Ensuring that people are in full control of their data and identity while maintaining privacy and trust in the systems they use.
4. Creating space for third parties to implement relevant innovative approaches and applications.
5. Preserving the digital sovereignty of citizens and preventing unauthorised use of their personal data on clouds, social networks and the Internet of Things.
CU
RIOSITY
Looking for agents who can ask the right questions
Andy Moorhouse, Head of Insight at Blue Sky Performance Improvement, argues that in the world of personalisation, it’s the agents who ask the unexpected questions who deliver the most effective service.
As an agent, curiosity is one of the key mindsets in customer service generally, and particularly in a telesales context. It’s also a major driver of loyalty. You have to be curious to understand what the customer really wants. You have to be prepared to think, ‘I’m not going to automatically follow the process, I’m going to ask a question’. It’s a behaviour that generates sales and brings people back.
For example, when we did some work with a UK kitchen supplier, the killer question that the consistently top performing sales agents would ask was to do with vision: “describe the kitchen you’ve always wanted. Tell me about the kitchen you’ve always dreamed of. What’s your ideal?”
Across the country that’s what their best people would be saying. They were making sales because they wanted to picture and understand what the customers wanted, and they were talking to them in terms of their dreams and ambitions. Meanwhile the bottom performers were asking the data driven questions – what are the dimensions of your kitchen, do you have a feature wall, how large is your cooker and so on.
That drive to understand what’s really important to the customer – and also to understand your place in being able to enable it – is incredibly important.
I remember once sitting next to an agent called Dawn who was working for a leading UK bank, and was on quite a sad call. A customer was basically putting himself into a hospice and tying up the loose financial ends before he went there. He was asking to cancel his direct debits.
Most were ok, but he had one that was only a few pounds, couldn’t remember what it was, but wanted to get rid of it anyway just to tidy things up. He had his life insurance sorted and that was all he was really worried about.
And Dawn said no.
She challenged the rules. She said no, you really shouldn’t be cancelling something, even if it is just a few pounds, if you’re not absolutely sure what it’s for.
Some agents would have just gone ahead and cancelled the direct debit, or left it there and let the customer go away and check. But Dawn was determined. She got on a three way call, phoned AXA who the direct debit was for, gave them the reference number, handed over the client to talk to them, and he discovered it was a for a funeral care plan that he and his relatives would have completely lost the benefit of if Dawn has just said ‘ok’.
This whole thing probably took about half an hour – a disaster in AHT terms. But that curiosity, that determination to ask the question and find out what’s at the bottom of this enquiry, is what delivered an excellent experience for that customer.
However, curiosity cannot operate within a 200 second AHT based environment, and it's down to the leadership team to give agents space to be curious, to grant them permission to explore, and to frankly #doitlikeDawn.
That’s where the secret of creating loyalty lies.
Andy Moorhouse
Head of Insight at Blue Sky Performance Improvement
VA
LUE
It’s my data, and i'll deal if I want to
The landscape of data ownership is starting to shift. Regulations are making it more complex for organisations to gather and hoard; customers are learning their data has a value and are beginning to bargain. Capita’s Insight, Analytics & Improvement Director, Alan Linter, wonders where it could lead.
This month the Open Banking Standard comes into force with the first APIs launched on January 13. This represents a significant step for personal data in the UK because it will now be a legal requirement for banks to share your financial data with the organisations you instruct them to.
And that will include your transactional information - what you spend and where you spend it.
For many people that makes up a lot of the footprint of who you are, how much you earn, and what you like to use your money for. So that’s a huge change in terms of granting organisations access to important data that they currently don’t have on you – data that enables them to significantly improve what they can offer, including a number of the services traditionally carried out by banks.
So a leading telecommunications company, for example, might say, while we’ve got all this data, maybe we should become an insurance company or a lending company?
Equally the banks could be thinking, if we’ve got to share this data and see some of our business disappear, maybe we should make up for it by including a mobile phone offering?
I think it’s also a demonstration of the growing trend to return the power of personal data back to the customer.
Trust and customer serviceClearly the major issue right now is one of trust. It’s likely that, for a while at least, customers will continue to prefer to trust banks with their savings rather than a mobile phone operator, but who’s to say that situation won’t change over the years?
And it’s not hard to see how that can happen in small steps. Last year it became clear that Amazon was targeting the insurance business in the UK and a few other European markets, and was starting to recruit insurance professionals with the aim of offering its own service.
Amazon already has a fantastic reputation for customer service – not something the insurance industry always enjoys – so probably reckons it can disrupt that market fairly successfully. It knows many of the products its customers have in their homes, and through the Echo and Alexa it’s building a strong base in smart home technology. All those items will need insuring.
“Is the general public at the point of realising it could make money from its personal data?”
Alan Linter
Insight, Analytics & Improvement Director
As customers begin to proactively share more of their data with organisations who’ve earned their trust – both via good customer service and the respect with which they’ve treated that information – you could see companies like Amazon also offering, say, energy. You continue to get your electricity from Npower, but you do it via Amazon. You pay Amazon, they get a good deal for you and pay Npower, and if anything goes wrong, Amazon sort it out for you.
If you want my data, pay upI think another major change we’ll see around personal data is a shift from customers feeling they have to share it in order to get any kind of service from an organisation, to saying, no, if you want it, you pay for it. We’ll enter the age where we can monetise our own data.
What’s interesting about the Open Banking Standard is how it encourages that sense of ownership: this is your data for you to share as you wish, with whom you wish. It’s not something the banks can keep to themselves.
There is a vast number of companies that make their money on the back of personal data, for example price comparison websites where energy companies pay them for generating leads. So what happens when customers say, ok, you can share my information with these half a dozen energy firms if you want, but you’ll need to pay for the privilege if you want to profit from it. And if you don’t, well, you’re not going to have it, and you can’t do your business.
Similarly, I remember we once calculated that on average you need to contact 26 organisations when you move house in order to give them your new details. What if instead you granted those organisations access to your information so their databases would update automatically, but now, as they’re saving money on staffing contact centres to take your call, you want half of that saving back.
Will customers catch on to the value of their data?Is the general public at the point of realising it could make money from its personal data? No, probably not, because we are so used to giving it away free.
But some sections of the public will be, and I think we’ll see a flurry of new niche services that will expose people to the cost advantages of bargaining with their data more robustly. And news will get round.
As GDPR takes hold, and customers become more aware of the power of their personal data, I think you could see two trends developing towards it in the future.
There will be those who will automatically tick ‘no’ to everything and refuse to share their data with organisations because they see no advantage to it and they prefer the idea of keeping that data to themselves. And there will be those who will say sure, you can have it, but you’ll have to pay, either through a cashback deal, or by offering me a better or lower cost service, or some other way for me to make money. What will disappear is that group that just ticks ‘yes’ without any thought or expectation of return.
Gradually customers will become educated about how much their personal data is worth. If they could see the billions of dollars huge companies like Google and Facebook make on the back of their data - and nothing else - I think many would frankly be horrified.
So could we reach a point where consumers say to them: “for every pound you make on my data I want 10p or I’m taking it all away from you.” Absolutely. Why not?
The Open Banking Standard
The standard sets out to establish a way in which data can be securely shared or published through open APIs, enabling third party apps to access users’ information through their bank accounts. (Most notably Fintech companies looking to offer more competitive services than traditional banks can.) By allowing banks and third-party developers to work together, customers should find they can…
� More easily compare current account services before deciding on a switch
� See clearer snapshots of their financial history so they can budget better
� Access credit from third-party lenders that may have more advantageous loan rates
� Easily run affordability checks to speed up loan processes (an improvement on the tedious uploading of bank statements)
� Connect accounting software directly to bank accounts to make online accounting simpler for businesses
� Make better use of specialised third party fraud detection
The Open Banking Working Group began formulating the standard in 2015, at the request of HM Treasury, as a way of exploring how personal data can be more easily used to help people transact, save, borrow, lend and invest their money. January was just the start of its roll out, and the Competition and Markets Authority will be enforcing its implementation.
Rather than being restricted to doing all your banking through one organisation, Open Banking envisages customers mobilising their personal data in a way that lets them have a current account with one provider, insurance with another, a mortgage with a third… all far more conveniently than they presently can.
Welcome to the age of the citizen data scientist
EVO
LUTIO
N
Just one of the predictions from technology researchers Gartner as they try to chart the trajectory of tomorrow’s data.
“By the end of 2018, 20% of users will have disabled intelligent listening and video capabilities on their devices to safeguard their privacy.”
Last year American IT researchers Gartner did some crystal ball gazing on how they expected data and advanced analytics to affect business and customer service from 2018 through to 2020.
Their study went looking for both the possibilities offered by transforming to a fully digital business, and the disruptions that would occur along the way to the old, siloed-data mindset.
Businesses needed to “look at data as the raw material for any decision, and consider that data comes from both within and outside the enterprise,” they concluded. And personal data was a part of that.
Although Gartner went on to make 100 separate predictions – many based around the impact of AI – we picked out a few that relate most closely to the analysis and use of personal data in customer management. (Though that’s not to say we agree with the likelihood of all of them…)
CRM and Customer Experience
Gartner’s figures project an even greater emphasis on data analytics to enhance customer service, but also foresee that consumers will start to become more selective about the apps they use, pruning down to only those that deliver genuine benefits.
By the end of 2018half a billion users will save two hours a day, thanks to AI-powered tools.
By 2020more than 40% of all data analytics projects will relate to an aspect of customer experience.
80% of consumers will use only half the number of apps they currently use today.
We’ll all be data scientists
Advanced analytics is becoming part of the mainstream and will soon be a basic competency in many organisations. Consequently we’ll see the rise of the ‘Citizen Data Scientist’, defined as someone whose job sits outside the field of statistics and analysis, but who can still “create or generate models that use advanced diagnostic analytics or predictive and prescriptive capabilities”.
By 2019more than 10% of IT hires in customer service will mostly write scripts for bot interactions.
AI platform services will cannibalise revenues for 30% of market-leading companies.
By 2020more than 40% of data science tasks will be automated, resulting in increased productivity and broader usage by citizen data scientists.
Personalisation and privacy
Privacy will become an increasing concern for consumers and a necessity for organisations if they are to win customer loyalty.
By the end of 201820% of users will have disabled intelligent listening and video capabilities on their devices to safeguard their privacy.
By 2020more than 50% of consumer mobile interactions will be in contextualised, ‘hyperpersonal’ experiences, based on past behaviour and current, real-time behaviour.
large global-enterprise use of data masking or similar pseudonymisation techniques will increase to 40%, from 10% in 2016.
companies that are digitally trustworthy will generate 20% more online profit than those that are not.
Mobile apps and the spread of monitoring
As connected personal devices become all pervasive, corporations will seek to leverage the personal data they generate for improved productivity. (Though Gartner makes no call on how employees may feel about that.)
By 201920% of users' interactions with their smartphone will be via virtual personal assistants (VPAs).
99% of multinational corporations will sponsor the use of wearable fitness tracking devices to improve corporate performance.
By 202050% of employees who are working alone or are operating vehicle or heavy equipment will be monitored by biometric-assisted technology.
Digital commerce
Finally Gartner expects us to be entering the era of the mega-breach where the number of affected customers will be enormous and the cost to the business potentially life-threatening.
By 2020there will be one major data breach leading to the leakage of at least 100 million customers' data and the loss of $1 billion.
40%
80%
30%
10%
40%
20%
50%
40%
20%
20%
99%
50%
9 GPDR questions to ponder
1) Will there be any breathing space when GDPR arrives?One of the misconceptions around the new regulations is that there’ll be time to adjust to them - a few weeks to get your house in order when the day finally comes.
It’s a vain hope. As far the EU Commission, Council and Parliament are concerned, companies have already had two years to prepare, so there will be no soft landing. However, Elizabeth Denham, the UK’s Information Commissioner, has said that stories about minor infringements immediately receiving maximum fines in order to make the point are ‘scaremongering’.
“Don’t get me wrong, the UK fought for increased powers when the GDPR was being drawn up. Heavy fines for serious breaches reflect just how important personal data is in a 21stcentury world. But we intend to use those powers proportionately and judiciously.”
Nonetheless the basic message about GDPR is that all the preparation has to be done before May 25th. The work in building a comprehensive understanding of all the personal data you hold – what it is, where it is, why you have it – needs to have been completed by that date so you can meet individuals’ requests around their information. That’s what the rules dictate.
2) How about wriggle room?GDPR is an EU regulation, not a directive, so individual member states should not be able to interpret the meaning, delay implementation or tweak the rules according to their desires. Thus it puts up a consistent barrier to non-EU countries – the US in particular - who might otherwise try to circumvent the regulations by leveraging a loophole in one territory. In fact, overall, GDPR will deepen the divide between the US and the EU on how personal data should be treated.
The UK situation is of course complicated by Brexit, but in last June’s Queen’s Speech the government confirmed that GPDR will form part of UK law after withdrawal from the Union. The Speech noted that:
“70% of all trade in services are enabled by data flows, meaning that data protection is critical to international trade.”
True, there will be some exceptions and defences for organisations not complying with certain parts of the laws, but these are mostly wrapped up around freedom of information and speech, and public interest, and are unlikely to be relevant in the vast majority of commercial cases.
3) Why is this also a big issue for American companies?Because it won’t matter where the data is held, if it involves an EU citizen it will fall under EU law. Thus American businesses, or any others outside the EU, will not be able to claim immunity because they are operating inside their own territorial laws. They will face the same fines and penalties as any EU business.
Towards the end of 2017 it was reported that most major American companies had put aside between $1 million and $10 million to meet GDPR requirements, yet tech researchers Gartner were still predicting that at least 50% of US businesses would not be compliant in time. It issued a crystal clear warning that: “if your organisation has an establishment in the European Union, offer services or goods to residents of the EU, or monitors an individual’s behaviour in the EU, GDPR will apply to your firm.”
Even so, there is still that sense that many American organisations are playing a ‘wait and see’ game on how the rules are enforced before pressing ahead with a response.
Clearly there are some very high profile American tech and social media businesses who won’t be waiting, as they will see certainly their normal ways of working disrupted by GDPR.
For example, the commonly seen vague reasons for obtaining an individual’s data, such as ‘improving the user experience’ or ‘future research’ will fail GDPR’s criteria of being specific and thoroughly explained.
Neither will they be able to collect more data than they need and then retroactively use it for another purpose. GDPR does give companies some leeway to reuse previously gathered data, but it has to be compatible with the original purpose for which consent was given.
Interestingly, in the closing weeks of 2017, Google began changing its contracts with advertisers to stipulate whether Google was the data controller or processor – thus rolling some of the compliance responsibilities out to the advertisers themselves.
On May 25th, any business that works with personal data will wake up to the most transformative and far-reaching legislation the industry has ever seen. So here’s…
as the deadline approaches
4) What’s the situation with data breaches?A breach that leads to the unauthorised disclosure of or access to personal data (eg, its hacking), or the loss, alteration or destruction of such data, must be notified to the relevant supervisory authority within 72 hours of the organisation becoming aware of it, if that breach threatens financial loss, loss of confidentiality, or any other significant or social disadvantage to the individuals concerned. In the UK that authority is the Information Commissioner’s Office.
In instances of high risk, the individuals need to be informed as well.
While GDPR does envisage breaches that may not meet the threshold for notification – the ICO suggests the loss of a staff telephone list for example – anything that might open individuals to the risk of identity theft would require notification.
This is a significant toughening of the law that, for example, would put a very different light on Uber’s recent announcement that it concealed a huge data breach in 2016. And this is certainly one area where American companies with data on EU citizens may feel the bite of GDPR.
The US congress has repeatedly tried and failed to agree federal breach notification legislation. Instead the majority of states each have their own rules. While many already chime with the overall principles of GDPR, in most cases they give organisations a lot more room for manoeuvre. The threshold for what qualifies as a material breach is higher.
It often needs to be considered ‘sensitive’, and certain categories escape the need for notification all together, while for GDPR it’s all types of personal data. The time allowed for notification is longer, and breaches do not automatically confer the right of individuals to seek compensation.
(Under GDPR individuals will be able to make a claim for compensation much more easily, and do so against processor as well as controller.)
In short, the idea that breach notification is at the discretion of the board, who may decide against it for commercial purposes, is a belief looking down the wrong end of a multi-million Euro fine.
Within 72 hours GDPR expects organisations to have reported back on:
� The categories and numbers of individuals affected
� The categories and numbers of personal data records concerned
� A description of the likely consequences of the breach to those individuals
� What you plan to do about it
When it can sometimes take months to even realise a breach has occurred, that is a daunting amount of information to gather in three days; another reason the housekeeping exercise of ensuring all your data is completely visible is so important.
If your organisation feels the breach is material enough to notify the supervising authority, but not serious enough to tell the public, the authority could overrule you, potentially upping the reputational damage even further.
5) I’ve heard that Shadow IT could be a problemDepending on your company’s culture and attitude towards security, it could be a thorn in the side of you remaining legal under GDPR. Shadow IT is when employees take IT into their own hands. A common example is when they open personal cloud accounts and use them to shift around company data because it’s more convenient.
It might mean they have it more easily at their disposal, or it may avoid them having to jump through tedious internal security hoops. Today such cloud accounts are easy and often free to set up, which has lead to a steady growth in this subsurface level of data hoarding.
Alarmingly, a recent report by Capita in collaboration with Trustmarque revealed that 76% of company CIOs don’t know how much their business spends on cloud services. More worrying still, 54% admitted they had no idea how many cloud-based services and individual subscriptions their organisation and its employees have.
This is a nightmare for GDPR compliance. The regulations call for companies to have a completely comprehensive record of where all their personal data is, and they also mandate 72-hour breach notifications.
If you have little clue as to how many cloud accounts your employees have, and even less of an idea what’s on them, compliance becomes almost impossible.
Regardless of how much effort you’ve put into the rest of your preparation, you’ll be breaking the regulations on day one and not even know it.
6) But GDPR is an IT problem, right?Definitely not. The risks associated with falling foul of GDPR law are so substantial – fines 30 times higher than those under current DP maximums, not to mention the high-profile reputational damage – that this has to be a business critical issue for the entire C-suite. It’s hard to underestimate how much tougher GDPR is compared to the current Data Protection laws, yet some boards still seem unaware of the magnitude of the compliance challenge they face, even at this late stage.
Parking it as an IT problem is a major miscalculation. It needs to be a governance issue that operates from the very top of the business.
7) As long as we’re legal on the key issues by Day One, we can catch up with the rest later?Depends if you’re ready to gamble on a disinterested public. For example, one of the main differences between GDPR and the existing Data Protection legislation is the right of individuals to request access to the information organisations hold on them, and to hear back in 30 days. Some organisations may be thinking, “well, lets wait for the first request to come in, and we’ll still have a month to throw some resource at it.”
That’s a perilous mindset for two reasons.
1. You’re gambling that on day one, you’ll get a single, lonely request, when chances are there’s an army of people waiting to exercise their data rights, because now they can. You could be inundated, and if you haven’t thought this through, you may not be able to fulfill all those requests. And as we’ve said before, no soft landing. Being ‘surprised’ by the amount of interest and unprepared to deal with it will not be much of an excuse.
2. It’s not really how GDPR works. It’s not a matter of having a month to get up to speed and fulfill these requests by the 30-day deadline. It’s that you must have done this exercise, and have all your data mapping in place before May 25. If not, you could be in breach of the rules, whether you receive 1,000 requests or none.
8) How does it change the way we get consent to use a customer’s data?GDPR raises the bar on the consent organisations need to obtain in order to process personal data.
The major changes are that consent must be explicit - opt-in not opt-out, so no more pre-ticked boxes - and that individuals have the right to withdraw it at any time. The ICO speaks of consent needing to be “a statement of clear and affirmative action.”
There are also stricter guidelines on how that consent can be obtained. Organisations’ requests for consent must be…
Unbundled – separate from other terms and conditions, and cannot be a precondition of signing up to a service unless necessary for that service.
Granular – accompanied by a thorough explanation of options to consent to different types of processing where appropriate.
Names – organisations and third parties relying on that consent must be identified. Merely defining the categories of third parties will not be acceptable.
Documented – thorough records will need to be kept on what the individual has consented to, including what they were told and when and how they consented.
Easy to withdraw – individuals must be told they have the right to withdraw consent at any time and how they can do it. A simple and effective withdrawal mechanism will need to be in place as, in the words of the ICO: “it must be as easy to withdraw as to give consent.”
While the issue of consent has generated a lot of angst, in truth it should not greatly disrupt properly behaving, responsible businesses with a legitimate reason for interacting with customers and seeking their data in order to assist them.
GDPR is more focussed on enterprises whose attitude towards consent is, let's say, elastic, and where the harvesting of personal data is more an information landgrab for commercial advantage, rather than offering a genuine benefit to the individual handing it over.
Neither, as some have surmised, is it a blanket ban on any personal data being processed by anyone, anywhere, unless the individual has specifically given consent.
There are a number of other lawful bases for processing that include compliance with legal obligations, when needed for the performance of a contract, around issues of health and public interest, where necessary to protect the vital interests of another person, and so on. Though it’s true to say, not many of these will intersect with the majority of commercial or customer management uses.
9) How have approaches to accountability and governance shifted?They’ve toughened up. While data regulations have long encouraged organisations to build in comprehensive accountability and governance provisions around personal data, GDPR raises that to a legal requirement.
Organisations need to be able to demonstrate that they’ve complied with GDPR’s accountability principles by…
� Implementing appropriate internal data protection policies such as staff training, internal audits of processing activities and reviews of internal HR policies
� Maintaining relevant documentation on processing activities
� Where appropriate appointing a Data Protection Officer
� Implementing measures that meet the principles of data protection by design and data protection by default, such as data minimisation, pseudonymisation, transparency, allowing individuals to monitor processing and using data protection impact assessments.
Awareness You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.
Information you hold You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.
Communicating privacy information You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
Individuals’ rights You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
Subject access requests You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
Lawful basis for processing personal data You should identify the lawful basis for your processing activity in the GDPR, document it, and update your privacy notice to explain it.
Consent You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
Children You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
Data breaches You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
Data Protection by Design and Data Protection Impact Assessments You should familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.
Data Protection Officers You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.
International If your organisation operates in more than one EU member state (ie you carry out cross-border processing), you should determine your lead data protection supervisory authority.
How the Information Commissioner’s Office says you should prepare for GDPR, in 12 steps.
What you need to do
1
2
3
4
5
6
7
8
9
10
11
12
If you have feedback, questions or any thoughts on what you’d like us to cover, please connect with us using the following:
www.capitacustomermanagement.co.uk
www.linkedin.com
@capitacustmgt
As the UK's leading provider of business process management and integrated professional support service solutions, our 73,000 dedicated staff across the UK, Europe, South Africa and India help make processes smarter, organisations more efficient and customer experiences better. We unlock value by applying talent and technology for you, your organisation and our communities.
Capita is quoted on the London Stock Exchange (CPI.L), and is a constituent of the FTSE 250 with 2016 revenue of £4.9 billion.
Further information on Capita can be found at:www.capita.com