Call Center Compliance: GDPR

Howard Schulman

The recent swirl around General Data Protection Regulation (GDPR) has made it top of mind for businesses around the world, especially in the area of call center compliance. GDPR is a relatively new regulation that requires businesses to protect the privacy and personal data of European Union (EU) citizens for transactions that occur within EU member states.

The GDPR took effect on May 25, 2018, and it replaces the previous Data Protection Directive, making it the most important regulation in consumer data protection in years. The GDPR gives people more control over their personal data and consolidates privacy regulations across Europe.

After more than a year since the regulation took effect, it is now a fair time to reassess contact center practices in light of the new normal.


Contact centers need to pay particular attention to the fact that personal data is defined as any information related to an identified person. This includes information accessible by agents such as the telephone numbers used as part of CRM systems that identify callers. The call center can be located anywhere in the world and still be held accountable to GDPR regulations if they process personal data of European Union consumers.

The European Commission defines personal data as any information relating to an individual, whether it relates to his or her private, professional, or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking information, medical information, or a computer IP address.


Non-compliance can be costly for companies and their call centers, so it’s important to understand why every company that does business in Europe needs to know about GDPR.

Companies can face a written warning in a first case of unintentional non-compliance, regular periodic data protection audits and fines of either up to 4% of their annual global turnover, or €20 million, whichever is higher. The imposed fine amount is based on the severity of the violation.

call center compliance

What types of privacy data does the GDPR protect?

  • Basic identity information such as name, address and ID numbers
  • Web data such as location, IP address, cookie data and RFID tags
  • Health and genetic data
  • Biometric data
  • Racial or ethnic data
  • Political opinions
  • Sexual orientation

Call Centers Are at High Risk for Non-Compliance.

It’s easy to see why contact centers become unwitting offenders of consumer protection rules and laws. They are on the front line of customer communications and have access to vast amounts of personal customer data, which makes call center compliance all the more challenging — and essential.

Under the GDPR, call centers now hold immense responsibility and accountability regarding the protection of personal data. Because individuals now have the right to access, obtain, change and erase personal data held by organizations through the GDPR, it is necessary for call centers to ensure that the personal data they house is only made accessible to the legitimate customer.

Data protection needs to be incorporated into all business processes, products and services, ensuring that all employees of an organization are aware of their obligations to protect any personal data to which they have access.

Call centers are especially vulnerable to non-compliance regulations for some pretty important reasons.

  • Valuable Data. The wealth of information housed by contact centers can be leveraged by fraudsters for data mining and attacks in other channels. Interactive Voice Response (IVR), often unprotected, also gives fraudsters the opportunity to collect data, and forms of Knowledge-Based Authentication (KBAs) are easily hacked due to information gathered from these data breaches.
  • Lack of Security. Unprotected contact centers are ideal targets for fraudsters due to numerous vulnerabilities. The contact center requires multi-layered security in order to successfully combat these attacks. Cross-Channel Enablement. Although these attacks may not lead to account takeover immediately, omnichannel data mining can contribute to fraud at a later time. The contact center enables cross-channel fraud attacks, making it difficult for organizations to diagnose the source of a data breach.
  • Social Engineering. Pressure for agents to deliver the highest quality customer experience along with lack of training on how to identify fraud attempts makes them more vulnerable to fraud. Through psychological manipulation, these agents unknowingly enable fraudsters by performing certain actions or divulging confidential information.
  • Fraud Technology. Readily available fraud technology (i.e. spoofing, voice distortion, VoIP, etc.) makes it easy for fraudsters to impersonate legitimate callers and opens the door to data breaches.

How to Drive Business and Avoid Non-Compliance
Avoiding penalties and fines related to compliance issues is a substantial effort for call center leaders but there are some tactics which will help make the job a little easier.

  • Conduct periodic agent training
  • Focus on laws and regulations affecting your industry
  • Provide scripts to keep agents compliant – digitize scripts and workflows for 100% adherence
  • Police agent areas to make sure customer information is secure
  • Enforce encryption of personal information
  • Maintain a digital and auditable trail of interactions, documents and e-signatures
  • Use technology that makes compliance easier for customers and agents

Rules are in place for a reason. We are all consumers and want to know that our information is secure—whether it’s financial information or medical files. It is up to those in call centers to be the champions for their customers.


call center compliance

Call center Compliance