GDPR: Don’t forget to train your customer service team
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

GDPR: Don’t forget to train your customer service team

Your customer service team is going to get questions about GDPR. Make sure they know what to say.

You can’t spell GDPR without the PR, and that also holds true for your GDPR compliance efforts. You’re working hard to make the proper updates and adjustments to your business to become compliant with the EU General Data Protection Regulation (which goes into effect this week), but it’s also important to make sure that your customers know that you’re compliant.

In fact, it’s kind of a requirement.

Chances are you’re putting the final touches on an email to inform your customers about your updated GDPR-compliant privacy policy. You may have already done so. That’s a good first step.

But not everyone is going to see the email. Some will skip it, others will miss it entirely, some may end up in spam folders. And then some people may even read it and decide they have more questions. The point is, there is a 99.9% chance that at some point someone will call your company and ask about what you did for GDPR.

And chances are, you won’t be the one taking that call. That’s why it’s critical to train your customer service team to respond to these questions. Let’s hash out how to do that.

Identify the most common questions you’ll be asked

This should be your starting point. Think about what industry you’re in, what partners you share data with and just generally how data flows through your organization. This shouldn’t be difficult, as you’ve already had to do it to become compliant in the first place. So, it should be fresh in your mind.

Using our organization as an example, here were the questions we came up with:

  • What is GDPR?
  • Does the GDPR affect non-Europeans?
  • Are you GDPR compliant?
  • What are you doing/have you done to be compliant?
  • What information are you collecting about me?
  • What are you doing with my data?
  • Are you Privacy Shield certified?
  • What technical safeguards do you have in place?
  • Can I get a Data Processing Addendum from you?
  • Is the GDPR retroactive?
  • Are your partners GDPR compliant?
  • How can I verify that you’ve really done all this?
  • How do I modify or delete my information?

Obviously, the questions you field will be largely dependent upon your organization. If you’re in the healthcare sector, you may be asked how GDPR affects HIPAA compliance. Likewise, the financial sector may have to explain how the GDPR meshes with various financial regulations. Only you will be able to identify the key questions your company or organization will need to answer.

Create a customer service cheat sheet

The nice part about the questions we just discussed is that you can go ahead and refine your answers ahead of time and then just list them on a cheat sheet. While I’m hesitant to load the one we will be using (after all, it’s a proprietary document) I can suggest just creating a simple two column table in Word (or whatever word processing program you use) and then putting the questions down the left side and the answers down the right.

This way, your customer service department won’t be asked to think on their feet about a topic they likely aren’t all that familiar with. Instead, they can just give a bottled answer and satisfy the question. This will also be a good way for your customer support team to familiarize themselves with the new regulation, as the document will contain the majority of the information they need to understand it.

Create supplemental content for your customer service team to reference

Don’t just stop at a cheat sheet, go ahead and toss a couple of pages or a PDF on your website so your customer service team can point customers to them. Oftentimes this can save you an entire conversation. You may want to have a specific page that is dedicated to your GDPR efforts. It may also be beneficial to build one for Privacy Shield and one for data rights, too. That way when a customer requests information on a policy, you can easily just send them a URL or a PDF and provide them with the resource they’re looking for.

While writing GDPR content is another topic entirely, try to at least remember to make yours friendly. And by that I mean write clearly, avoiding technical jargon and acronyms, so that customers can read it once and feel like they have a good sense of your data practices. People notoriously don’t read privacy policies or terms of service because the are long dense and boring. So don’t make these pages feel like that. After all, you’re trying to build trust and nothing builds it quicker than being straightforward and easy to understand.


These last two topics also deal with compliance, which makes them especially important.

Train your customer service team to escalate certain requests

There are two scenarios where you may want your customer service team to escalate a call. The first has to do with a customer exercising their data rights. We’ll refer to this as a data request. The GDPR gives customers a lot of control over their data. They are allowed to get a copy of what you have collected about them, they can choose to modify it or the Right to be Forgotten means they can even ask you to delete it entirely. Unless you plan on training you customer support team to handle data requests themselves (which is ill-advised), they’re going to need to escalate the call to some one who can.

Customer Service Team
I’d say this escalation went well.

The second, far less frequent scenario is that you’re going to get the occasional caller that is asking deeper questions than your customer support team can comfortably handle. A lot of times these are just extremely judicious customers, but it’s also possible that come Friday (May 25, when the GDPR becomes enforceable) there will be some unscrupulous types that will be probing for potential issues they can exploit. Either way, you don’t want to give your customer service team the opportunity to mis-speak or get something wrong. Again, this is not meant as a slight towards customer support reps – they are the backbone of many companies – it’s just a matter of GDPR not being a familiar topic.

So, if questions are a little too specific, or beyond the knowledge of the customer service department – or you are dealing with a data request – you need to train your team to escalate the request. The hierarchy you put in place is up to you. You may want to put a manager up the next rung, provided they are more familiar, as a buffer. Regardless, at the top of the food chain should be your Data Protection Officer (or the employee that oversees your GDPR and Data Security efforts). You may choose to put any questions or requests in writing, in the form of a ticket, before passing it up the chain, but the GDPR requires you to have an accessible DPO in Europe, and while US companies aren’t required to have a DPO, they still need someone to run point on data requests.

Remember, you also have to list that person’s contact details on your privacy page. Just don’t be fooled into thinking that listing it there will stop customers from dialing up support to get their questions answered though. It won’t. People are still going to call. So make sure your team knows which questions to field and when to say, “Let me connect you with someone who can better answer that question.”

If you’re recording the call, make sure you notify the caller

This is already considered a best practice, and while the GDPR is ambiguous in a number of areas—this is one issue where it is not. It’s quite clear that you need to notify a data subject anytime you collect data. I know right now you may be asking, “but this is a telephone, I thought the GDPR was for computers.” In reality, those are both wrong. The GDPR is about personal data. And yes, you may be collecting it on a telephone but you’re likely entering it into a computer to look up and account or an order—that’s processing. So you definitely need to make certain notifications over the phone.

GDPR notification
“By the way, I’been recordin’ ya the whole time.”

Now, I don’t think you need to be as granular as you would be on a website. There are certain implications with phone calls. For instance, if someone calls about an order, there’s no need to say, “I will use your name to look up your account.” Simply requesting the name serves as notification enough, the user can easily imply that it’s going to be used to look up his order.

However, you can make no such case for recording someone. And here’s the other thing, unless you’ve got a legal basis for recording the calls (contractual, legal obligation, legitimate interests, etc.) you also need to get a caller’s consent. Like I said, there are five alternative legal bases to use. But failing the other five, you have to get compliance to record calls. Obviously, in this case a pre-recorded message played at the start of the call is no longer sufficient unless it provides an option to consent or decline. It will be important for you to not only train staff on making the notification, but you may also want to try and refine the notification, and the way it’s pitched, to maximize positive outcomes.

And one more time, while the need for consent may be debatable, the need for notification is not.

A closing thought on preparing customer support for GDPR

The GDPR requires any company that does business with Europe to review and adjust its data policies. But for a great number of the companies and organizations affected, the bulk of their effort has been spent on websites and email.

Don’t forget about the people answering the phones and manning your live chat. They are public facing and will likely have some interaction with GDPR-related topics. It’s not hard to schedule a quick meeting (or multiple ones if you can’t leave the floor empty) just to go over the basics, show them some online content they can reference and provide them with a cheat sheet. It will go a long way.

As always, leave any comments or questions below.

Hashed Out GDPR Compliance Series:


Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.