AN EXL WHITE PAPER

GDPR: A Great Catalyst for Enhancing Customer Experience

Prakhar AgrawalCert. GDPR Practitioner, CIPT, CISM, CISA, PRINCE2Assistant Vice President, Consulting

lookdeeper@exlservice.com

Written by:

Appreciating the sheer amount of change

the GDPR entails, most companies

are adopting a risk-based approach to

compliance and prioritising areas that will

be compliant on day one of a post-GDPR

era. The prioritisation criteria a company

chooses is a sum total of many factors,

such as existing privacy maturity and

readiness, risk appetite, and the nature of

business.

A careful look beyond the extensive set of

requirements captured in the 99 articles

and 173 recitals will reveal that the rights

and freedoms of customers and staff

are at the heart of the Regulation. As

companies define their target maturity

state and compliance roadmap, there

is a tremendous opportunity for putting

forth their brand as one that customers

can trust. Come May 2018, the real

beneficiaries will be companies that put

customer experience at the forefront of

their delivery plan and approach, or in

other words, focus on data processing

activities that are likely to cause most

detriment to customers.

GDPR offers many ways companies can

enhance customer experience on their

path to compliance. Requirements such

as fair processing notices and consents

are indeed the flag bearers of that idea.

The core of customer centricity can be

summarised into three facets:

(1) Being transparent and fair

(2) Empowering customers

(3) Being responsible

GDPR is a tough regulation. Achieving and maintaining a target maturity state on May 25, 2018 will

require a collaborative investment of time and effort from all functions within an organisation.

With its many daunting requirements and challenging fine structure, GDPR is one of the top board

agenda items of every impacted organisation today. Most companies have already established their

compliance programmes to come out on the right side of this regulatory regime.

GDPR: A Great Catalyst for Enhancing Customer Experience

EXLservice.com | 2

Being Transparent and FairTransparency and fairness are foundational

pillars of the concept of privacy. Every

privacy regulation, including GDPR, has

these embedded in its set of requirements.

Under GDPR:

• As early as the first point of data collection,

a company will tell its customers upfront

in an easy-to-understand privacy notice

without any legal jargon and no fine print:

- What data it collects and how

- How it intends to use data

- Where it intends to store data

- Who it intends to share data with

- When it intends to dispose data

• Customers can make informed decisions

on whether they want to provide their data

based on what they can expect to happen

with their data

• Customers can indicate their agreement

to provide data by providing valid consent.

“Valid” under GDPR means informed,

specific, unambiguous, freely given, and in

some cases, explicit.

- Informed – Ensuring they read and

understood the privacy notice.

- Specific – Provides data for one purpose

but not another

- Unambiguous – A clear indication that

they have consented, such as through an

affirmative action.

- Freely given – Without any fear of

adverse consequences including refusal

of service. This is more applicable in case

of employee consent.

- Explicit – An explicit statement which

leaves no room for any confusion or

denial, such as by ticking a specific

consent box.

• Where personal data relates to more

vulnerable customers, such as minors

who may not be capable of providing valid

consent, the company will seek parental

consent.

• Where sensitive data, also known as

What data it collects and how

Where it intends to store the data

How it intends to use the data

100 1 0 1 1 0 1 0

0 1 1 0

Who it intends to share data with

When it intends to dispose data

GDPR: A Great Catalyst for Enhancing Customer Experience

EXLservice.com | 3

“special categories of data” of data

under GDPR, is involved, the company

will specify this in the privacy notice and

reassure customers of its adequate and

enhanced protection.

• The company will limit data processing

to the intended purpose and period

disclosed and agreed to by thecustomer.

Empowering CustomersBeing transparent and fair is not a one-and-

done exercise; it is rooted in a company’s

customer engagement practices.

Customers should be allowed to revisit their

inputs any time. This brings to light another

key facet, customer empowerment.

Under GDPR:

• A company will allow customers to be in

the mix at all times.

- Customers can change their

consent preferences at any time,

whether changing its specificity or

withdrawing consent altogether.

- Companies will allow customers to

request such changes easily and

diligently honour their request.

- Companies will offer adequate

granular choice and control to

customers when exercising their

consent preferences.

• Companies will enable customers to be

in control of their data and the way it is

processed. Specifically, companies will

allow customers to:

- Request a company to update their data

such as for a change of address

- Request a company to give them details

for all data it holds and processes

on them

- Request a company to erase their

data (or forget them, temporarily or

permanently) if they are unhappy with

how any of their data is held, other

conditions notwithstanding

- Object to or restrict specific types of data

processing, such as for direct marketing

- Request for human intervention in

an otherwise automated processing

(automated “decision making”, to be

accurate)

- Request for their data to be ported either

to them or to a competitor in structured

and reusable form, preferably via a self-

GDPR: A Great Catalyst for Enhancing Customer Experience

EXLservice.com | 4

service portal, thus avoiding potential

lock-in effects

• Companies will have in place a robust

and customer-friendly request workflow

mechanism and leverage it for timely

and efficient fulfilment of such customer

requests, providing regular status updates

and an escalation path when required

• Customer empowerment is incomplete

without the company providing them

privacy and security-friendly default

settings in all its products and services,

such as secure data transmission, no pre-

ticked checkboxes, and other methods

Being ResponsibleThe third, perhaps most overlooked, facet

is for the company to realise that customers

have entrusted it with their personal data.

This means the company is expected to

be fair, transparent, and act responsibly,

especially in confrontational circumstances.

Under GDPR, a company will not only

take utmost precaution to ensure its data

processing is accurate and secure as

per the intended purpose agreed with

customers, but also be prepared to:

• Promptly notify customers in case a data

breach that may cause them damage or

distress and advise how they can reduce

the risk and impact

• Provide clear instructions and

mechanisms for prompt and fair handling

of complaints, as well as share contact

details for its data protection officer

• Provide written responses in cases where

a company’s legitimate interests outweigh

customers’ rights and those rights cannot

be honoured

• Analyse and address any envisaged

risks and impact to customers prior

to undertaking a new data processing

operation via DPIAs

• Only engage with suppliers and third

parties that can provide at least the same

level of data protection and assurance

• Train staff to handle or process customer

data in the intended way

• Create awareness and promote a culture

that puts data privacy and security at the

forefront

GDPR: A Great Catalyst for Enhancing Customer Experience

EXLservice.com | 5

ConclusionMany companies are now getting serious

about their preparations for GDPR. There

is indeed an upswing in GDPR adoption as

25 May approaches. It is not surprising that

even as Information Commissioners Office

(ICO), the UK’s data protection authority,

recently posted on Twitter that, “…one of

the most significant days for your new

2018 diary will be 25 May - the day when

GDPR comes into effect...”. Most companies

are looking to undertake a risk-based

prioritisation approach in the run-up to

the deadline, as it is well acknowledged

that the amount of change is high and

there is a need to focus on some areas

more than the others. What to focus on is

a matter of choice, with many factors that

will drive this. One thing seems certain -

GDPR was designed to change the way

companies interact with customers. The

real beneficiaries will be companies who

put customers in the forefront on their

implementation plans.

From initial onboarding to end of

association, a customer journey is a multi-

step endeavour. The insurance industry

provides for a good example in that an

individual starts as a lead, turns into a

prospect, a quote is issued and accepted,

and then at this point the individual

becomes a policy holder. If the individual

files a claim during the course of policy

they become claimant, and so on. In

each role, the individual’s personal data is

processed in myriads of ways - sending

marketing emails and newsletters, issuing

automated quotes, anti-fraud checks,

health data processing, profiling and so

on. Customer experience starts at the

very first step. If the company embeds the

three facets described above of fairness

and transparency, empowerment, and

responsibility in its values, there will be

a greater chance of a lead turning into a

prospect, prospect into a policyholder and

policyholder renewing a contract, which

ultimately is the core business objective.

One of the most significant days for your new 2018 diary will be 25 May. The day when GDPR comes into effect. View our guide to the new regulation here: ico.org.uk/for-organisati ...

GDPR: A Great Catalyst for Enhancing Customer Experience

EXLservice.com | 6

GLOBAL HEADQUARTERS280 Park Avenue, 38th Floor, New York, NY 10017

T: +1.212.277.7100 • F: +1.212.277.7111

United States • United Kingdom • Czech Republic • Romania • Bulgaria • India • Philippines • Colombia • South Africa

Email us: lookdeeper@exlservice.com On the web: EXLservice.com

© 2017 ExlService Holdings, Inc. All Rights Reserved.

For more information, see www.exlservice.com/legal-disclaimer

EXL (NASDAQ: EXLS) is a leading operations management and analytics company that designs and enables

agile, customer-centric operating models to help clients improve their revenue growth and profitability. Our

delivery model provides market-leading business outcomes using EXL’s proprietary Business EXLerator

Framework®, cutting-edge analytics, digital transformation and domain expertise. At EXL, we look deeper to

help companies improve global operations, enhance data-driven insights, increase customer satisfaction,

and manage risk and compliance. EXL serves the insurance, healthcare, banking and financial services,

utilities, travel, transportation and logistics industries. Headquartered in New York, New York, EXL has

more than 27,000 professionals in locations throughout the United States, Europe, Asia (primarily India and

Philippines), South America, Australia and South Africa.