kreizihorse - Fotolia


GDPR customer data compliance for service and support teams

Getting your Salesforce-powered customer service and support staff ready for GDPR involves more than just the free Trailhead training module. But it's a start.

The European Union's new GDPR customer data regulations are likely to change many of the ways that customer service and support groups work with CRM data in Salesforce and its competing applications. Enterprises need to train agents on how to process incoming customer requests to delete or reduce customer data.

Moreover, service and support teams may have less available information to efficiently process customer inquiries.

Enterprises also need to audit customer service and support software modules that make use of customer data. The General Data Protection Regulation could also impact the customer data used in predictive analytics services to proactively provide services and customer recommendations.

"Businesses simply don't have the workflows in place because they never had to; at least, not at this scale across all lines of business," said Jeff Nicholson, vice president of CRM product marketing at Salesforce rival Pegasystems. "Consider that, for the past decade, businesses have been trying to achieve a 360-degree view of their customers, and many, if not most, have not managed to achieve that across all their disparate systems and disjointed data."

GDPR customer data rules will force many businesses to rethink their current workflows for data protection and privacy. When it comes to servicing customers, many enterprises use a number of disparate systems that agents touch daily to fulfill their duties. Every system that holds personal customer data will be impacted. Based on some legal interpretations, this could even include providing online chat logs and much more for data access requests.

Organizations need to first understand what percent or volume of their customer database includes EU residents' data and how disparate or consolidated that data is across the organization. Once they know that, it will give them a sense of how challenging it will be to comply with the legislation.

"For some organizations," Nicholson said, "they may only have a few hundred [customers] to deal with. But for others, it could be hundreds of thousands, if not more, and that will require a very serious strategy for compliance."

Adding GDPR customer data workflow to support teams

Express consent must be granted for the collection of any customer data, including the specific data that is being collected and the purposes for which it will be used, according to GDPR customer data regulations.

To make sure that consent is informed, privacy policies must be both easy to find and easy to understand. In addition to storing data securely, businesses are required to allow customers to access their own data any time, as well as give them the ability to request that data be updated, deleted, moved to another organization, or its use restricted to specific purposes.

Salesforce offers guidance in a Trailhead training module on how to adapt a workflow to the new rules.

GDPR checklist

GDPR places the onus on businesses to demonstrate an existing email relationship with a customer. While there is some latitude here, it's best to err on the side of caution. If the enterprise offers a service, then engagement with an active customer -- in the form of opened emails and clicks -- may be enough to prove that relationship. But lapsed or inactive subscribers should be purged.

It's also important to maintain a regular auditing process to ensure compliance over time. If data is deleted at a user's request, that individual's data may be recorded again if he or she visits the company's website, said Paul Harrison, CTO of, an omnichannel ad tech service that can be integrated with Salesforce.

Marketing teams need to create as many opportunities for people to opt-in as possible, as well as advertise the benefits of doing so. In parallel with marketing efforts, sales and support teams should reach out to their contacts personally with the opt-in link that marketing creates to further build relationships and aid in the opt-in process. This will need to be an ongoing process, even after the GDPR customer data regulation goes into effect.

It's also important to create systems and tracking tools that will enable the enterprise to see clear distinctions between what support teams can and cannot send to customers. It's good to have different opt-in choices to make it possible to communicate important information about products, such as safety recall information, even to people who don't want to receive marketing information.

Automate privacy requests

Customer support agents will have to be trained to handle over-the-phone requests and put them into effect company-wide, said John Joseph, VP of marketing at Scribe Software Corp., which provides integration platform as a service between Salesforce and other data systems. When GDPR goes into effect, every part of the organization must be prepared to respond to the powers the regulation grants EU citizens who are customers, prospects and partners.

"You'll first have to have the systems in place that allow you to respond, and then you'll have to have the process in place to take action," Joseph said.

For example, having a central data integration platform to handle data flows instead of hand-coded integration between systems makes it much easier to prove that the enterprise's data handling processes are in compliance with GDPR customer data mandates. Many organizations will have to take a more central approach to handling data.

When any part of the organization receives a GDPR-related request, such as a request to forget a customer's data or to explain how the data is being used, the organization will have to kick off a process that cuts across different departments. For example, if someone sends a request to the support inbox to erase their data, it means that the marketing and sales departments must forget them, too.

One type of approach, as demonstrated by Scribe's integration platform, is to use an interface that is self-documenting. This enables everyone in the organization to understand the logic of the integration.

This kind of approach could be applied to all CRM integrations to make it easier for support staff to process a customer's requests, and to quickly find all the applications that leverage their data. This kind of strategy eliminates the uncertainty around undocumented, custom-coded software integrations.

Secure permissions to support GRC requirements

Enterprises will also need to develop a set of processes and service policies when customer data is required for governance, risk management and compliance. This is likely to affect healthcare, law firms, financial services and public sector firms.

Many businesses are employing technologies such as artificial intelligence, predictive modeling and other types of automated decision-making approaches [and] they can't explain the logic that's been applied.
Martin JamesDataStax

"This will impact organizations in the B2C, as well as B2B markets," said Martin James, regional vice president for northern Europe at DataStax, a data management vendor that numerous large Salesforce customers use. "For the latter, think of a corporate health insurance provider or a financial services organization servicing other businesses. That company will have to process customer information as part of their risk analysis, customer due diligence and know your customer processes."

When an intermediary is involved, the company needs to ensure that it has secured the specific permissions to process and transmit personal data to third parties.

Make AI transparent

Additionally, many businesses are quickly discovering that they will be directly affected by the GDPR customer data-related articles pertaining to automated decision-making. Industries such as finance, healthcare and insurance will feel it the most. The key to this aspect of the legislation is not just permission, but transparency.

"The problem is that many businesses are employing technologies such as artificial intelligence, predictive modeling and other types of automated decision-making approaches [and] they can't explain the logic that's been applied because they are very much black box or opaque AI," James said.

In those cases, the affected organizations will need to transition to a transparent form of AI that can provide that ability to explain the logic of any given decision. Businesses must understand where opaque approaches are being used for decisions that would fall under GDPR, and then they have to find alternative methods to make those decisions more transparent. They will also have to explain why a decision was made, and explain it in common language.

Next Steps

 Life insurance company thrives with OpenText-Salesforce integration

Dig Deeper on Customer service and contact center

Content Management
Unified Communications
Data Management
Enterprise AI