What Every Customer Support Agent Needs to Know About GDPR

6 min readMay 29, 2018

GDPR is here to stay, and if you want to do business within Europe, you have to follow the rules.

Every company with customers in Europe needs to understand and take action on GDPR. As of May 25th, 2018, businesses that do not take the proper steps to protect their customers’ private data can see huge fines. While there is still debate over exactly how quickly this will occur and how firm the first rulings will be, that’s no reason to slack on getting your house in order.

To be honest, this post is probably a bit late, but hopefully it helps you battle that “I have no idea what I’m doing” feeling that can arise during big sweeping changes like this. We’ve got your back, Jack.

Note: I’m not a lawyer or a digital protection officer. Rather than offer you specific legal advice, this post is only designed to ensure you ask the right questions of your team to prepare.

First of all, what is the GDPR?

The European General Data Protection Regulation (or GDPR for short) is a new regulation that gives individuals more control over their private data, especially in the hands of businesses. It doesn’t just affect EU businesses — any companies that want to do business in the EU need to abide by the rule of the law.

Second of all, what do customer support agents need to know about GDPR?

  • Under the new regulations, customers have many more rights when it comes to their data. Customer support will likely be communicating the most with customers about this, so be prepared for new questions you might not have the answer to.
  • If in doubt about a new policy, or customer request, ask your executive team! There’s still a lot unclear about how GDPR will affect every business, so it’s best not to guess.
  • If a data or security breach occurs, customers must be informed as soon as the company has discovered the breach.
  • Penalties for GDPR breaches are severe, but will almost always be preceded by a warning.

Finally, I recommend finding a way to compile all your GDPR questions into one queue.

If you use Zendesk or a similar help desk, you can create an automation to find specific words (like privacy policy, GDPR or data protection) and funnel them into one view. That way, you can take turns responding to those questions.

It helps prevent burnout, and it’s faster for one person to whip through a bunch that to handle them one at a time.

Four common questions customer support must be able to answer

1. What personal data do you currently collect from your customers?

This is a very common question for customers to ask (even before the GDPR went into effect). Customers want to know what information you have on them, how long you keep it for, and what it’s used for.

Compiling a list of all the personal data collected is helpful for two reasons. First, customers will ask. Second, because customers have the right to ask for this information to be deleted, it will need to be catalogued. If you don’t know what information you have, it’s tough to delete.

I’d recommend storing this information in a macro and a help center article, so you don’t have to go hunting for the information constantly.

2. I have this custom privacy policy/agreement I need your legal team to sign.

Depending on whether or not your company has agreed to sign custom contracts, your answer will be different. If your company has decided not to (and this is fairly common), your team needs to come up with a fair reason why… and also be ready to lose a customer over it.

Complying with several dozen custom agreements can be very difficult. For example, software companies that release new versions daily (or even hourly) would need to ensure that every release met the conditions of new contracts. That’s just not possible.

If you are accepting custom contracts, know who they will be sent to, and what the process is. How long will it take for them to receive a response?

3. I want my data to be deleted/ I want to request access to my personal information

This is going to be the major ongoing support request after GDPR is in place. Customers in the EU have the “right to be forgotten” or have all of their personal data you have collected be erased.

Companies cannot charge for this service, and refusing to provide or erase the data will result in a complaint to their countries data regulatory body.

You have 30 calendar days to respond to these requests. So it’s worth developing a process with your engineering/data team to work through them methodically.

For example, creating a spreadsheet where support can collect the necessary account details. Engineering can go through the spreadsheet once a week to retrieve or delete the necessary data, and support can notify the customer.

Go one step further and ask engineering to set up an API endpoint that a trained support agent can call to request data or delete data. That way, there’s no bottleneck to dealing with these requests, and you can fly through a queue.

4. You’re sending me X and I haven’t consented.

In order to collect and process customer data, companies must have explicit, opt-in consent from customers.

If a customer suspects you haven’t obtained consent, they can file a complaint with their country’s regulatory body. But they also might complain to you first.

In this case, know where to find record of consent. If it’s a marketing email, where did they sign up for it? If it’s order information, what is the reason and length of time it’s stored for? Being able to chase the source of consent will be helpful in responding to these complaints.

Whether or not they have actually consented, make it easy for the customer to revoke their consent and have their data removed from wherever it was stored. Just because they consented previously does not mean your company has the right to their data indefinitely.

Finally, make sure to flag these to your Data Protection Officer, or executive in charge of GDPR compliance. If there is a breach, it needs to be investigated to see if other customers also require updated consent forms.

A quick checklist for other things customer support teams should consider:

  • Who is your legal contact for more complex questions? Do you have a legal team to forward questions to? Or do they need to go through an executive team member to an external law firm?
  • Do you know where your privacy notice is posted? It needs to be posted publicly in easy to read language (no more terrible fine print!).
  • What communication guidelines do you have in place when it comes to corresponding with customers about data security? Ensure your team feels empowered — but that they also don’t overstep their boundaries into giving law advice.

Grant me the serenity to accept the things I cannot change…

GDPR is here to stay, and if you want to do business within Europe, you have to follow the rules. The best we all can do is make the best of it, take care of ourselves and our team, and accept this as the new normal. If you’re still panicking about GDPR, I recommend this excellent post by Jacques Mattheij.

The GDPR is designed to protect the privacy of citizens. If your company is operating in good faith, and doing what you can to abide by the rules — you will very likely not get fined.

There are processes in place to warn and assist businesses with updating their policies to become compliant. The EU is not out to “get you” — so do your best, and don’t worry about those gotcha moments.

PS: You can find Nicereply’s privacy policy HERE.

About the author

Sarah Chambers

Sarah Chambers is a Customer Support Consultant and Content Creator from Vancouver, Canada. When she’s not arguing about customer service, she’s usually outdoors rock climbing or snowboarding. Follow her on Twitter @sarahleeyoga to keep up with her adventures.

Measure CSAT, CES and NPS




Improve your #custserv & #custexp with Nicereply - a customer satisfaction survey software, including CSAT, NPS & CES 2.0