Two very divergent trends are coming to a head, which could potentially change the way the industry does business.
On one hand, CX programs and customer needs are more targeted towards a dialogue with the individual customer. On the other hand, personal data and data-protection regulations are becoming more restrictive. This collision means businesses are facing more challenges than ever when conducting a multi-national CX program, specifically in Europe and Asia.
The legal framework and Code of Conduct is evolving and changing continuously. As there is no global framework, businesses need to understand the specific rules and regulations of each and every country to decide if, when and how they are allowed to contact their customers – a base requirement for a customer feedback program. Opt-In regulations vary even within Europe; the same applies for Opt-Outs, where there are even differences by communication channel. Many countries have a different answer to questions like “Is a market research or marketing Opt-In required to conduct a CX program?” “What is required for me to be able to enrich my CRM system with the customer data I gathered?” or “Can the customer access all information stored about him?”
The challenges are even more complex for international companies who want to manage their CX program internationally. How can customer data be stored, analyzed, enriched in compliance with legal requirements? In October 2015, the European Court of Justice (ECJ) ruled that the long-standing EU data privacy and protection agreement, known as Safe Harbor, is no longer valid. Historically, this agreement made it possible for data transfers between the EU and US using a single standard self-declaration framework. This is not the case anymore, so companies who relied on Safe Harbor need new solutions to stay legally compliant. Other individual countries such as Russia and China are establishing their own data privacy laws as well. No doubt: It’s of peak importance for companies to understand and mitigate the risk related to this when they conduct their CX programs as potential fines of up to 2% of a company’s global revenue for the violation of data privacy laws can cause companies big headaches.
While rules and regulations appear to have become really strict already, there is more to expect. Recent violation of data-privacy rights from private companies and governments have opened the door for a new perspective. Discussions become more emotional and drastic proposals are on the table. So this is just the beginning of a tightening data privacy regulation path.
Here are some likely future trends and requirements I see on the horizon:
- Private data must physically remain in the country of origin; cross-border traffic is not allowed
- Data collection is only allowed or feasible in-country
- All private data about an individual must be made accessible to the person for review, editing or deletion
- The diversity of regulations will increase even more as countries in Asia Pacific are just starting to introduce their own frameworks of regulation
- US companies need to pay attention and face the risk of suffering from a lack of trust in their willingness to adhere to non-US data-protection standards. European and Asian data owners or processors will gain significant power
- The financial risk will be high enough to encourage Information Security departments to demand to meet or exceed standards or best practices
We are facing a future that will require companies to continually observe and review their CX program designs, architecture and data flows to adhere with localized data-protection rules and processes. Multi-country CX programs will require experts and consultancy, not just in technology, analytics, industry-expertise and program management, but also in data-protection legislation and information security.