The General Data Protection Regulation and its impact on customer service

Written by Alana Team
on November 12, 2020

The customer service experience has evolved a lot over the past decade with the use of Big Data and emerging technologies. After all, data is the new petroleum and represents the main assets of companies that deal directly with the consumers.

Now, this area is about to be impacted by the General Data Protection Act (GDPR), which officially came into force at the end of August. Marketing and customer service areas, which had already been impacted since 2018, when the European GDPR came into force, must now also pay attention to national data protection regulations.

The GDPR replaces the Brazilian Civil Rights Framework for the Internet, 2014, and establishes a set of regulations on personal data handling and sharing which are common practices in companies that handle a  high volume of consumer data.

It was inspired by the European GDPR (General Data Protection Regulation) which provides for greater control of personal data by consumers. The idea is that individuals can authorize or deny the use of their personal data according to the purpose of the use and security issues.

Understand what is considered personal data, how it feeds customer service strategies and tools, and the importance of preparing the areas of marketing and customer service for GDPR.

What changes with the General Data Protection Regulation?

The GDPR creates a new scenario for the country, with more security and standardization of practices for the market, as well as establishing clear rules on the use of data for marketing and customer service.

Among the most relevant points of the Regulation are:

  1. The definition of concepts about personal data and the agents that collect and process data.
  2. A list of GDPR exceptions, which may occur when compliance with legal requirements is required.
  3. The international coverage and sharing with countries that also have existing data protection regulation.
  4. The determination of the NDPA (National Personal Data Protection Authority) inspection body.
  5. The designation of penalties for security breaches by companies.
  6. A single regulation for the whole country and strengthening the need for consent.

The Law comes into force to give more transparency to consumers about the use of their personal data and also to guarantee more information security,  which is an important and recurring theme within large technology companies.


What types of data are used in marketing and customer service? 

According to the definition of philosophy, data is an “initial element of any act of knowledge, directly and immediately presented  to the conscience, and which will serve as a basis or assumption in the cognitive process”,  that is,  the information.

And there are several types of data, as specified in the GDPR:

  • Personal data:  information regarding the identified or identifiable natural person. This data can also be known as Personal Identifiable Information (PII).
  • Sensitive data: personal data related to racial, ethnic, religious, political, sexual, genetic or biometric themes.
  • Anonymized data: information about a natural person that cannot be identified.

Definitions are necessary because there are specific rules for the collection and handling of sensitive data, for example:

In many companies, data is an essential part of their sales and customer service strategy. Based on them, it is possible for those companies to make decisions based on numbers and facts, in addition, to assist in determining the causes of problems and reducing risks.

The GDPR Principles and Exceptions

Transparency is one of the principles of the Law No. 13,709. Therefore, every company must clearly specify the purpose the data provided will be used.

Only in certain specific cases is it permitted to use the information without consent, as determined in Article 11 of the Law:

  • Compliance with a legal or regulatory obligation;
  • Shared processing of data necessary for the implementation of public policies established in laws or regulations;
  • In studies carried out by research bodies, the anonymization of data should be used whenever possible;
  • Regular exercise of rights;
  • Protection of physical security and life;
  • Prevention of fraud and security of the holder;
  • When in health care.

Companies that provide a specific type of customer service for collections, for example, fall within the use of exceptions due to their ultimate goal. It is worth mentioning that even though they are an exception, they need to guarantee the principles of data protection.


On the other hand, virtual stores and any business that collects data need, and should, adapt to the new Law. How? By making the data collection properly transparent, selective, and focused only on requesting information needed to perform a certain action.

How to prepare your company for the General Data Protection Regulation.

In order for the long-term process to be gainful, it is worth creating a strategy to foster a culture of information and data security within the company.

In the short term, it is essential to train all staff that work directly with data, so that each area can assess how the processes might be changed. Here are some tips on how to implement GDPR standards in your business:

Creation of an analysis committee

Planning is mandatory before any action! With that in mind, define the leaders and key people who should participate in the GDPR  analysis so that they can identify points for improvement and how the company should act.

Among the areas indicated to participate in such planning are legal, risk and compliance, technology, customer service, marketing, sales, and human resources.

Definition of an implementation roadmap

After the analysis of the legislation and the business, it is time to draw up a plan to change processes that collect and use customer data. What should be included:

  • Storage: How is it currently done? What data does the company have stored? Are they authorized according to the purpose of the use?

If the data is used for more than one purpose, it is mandatory to update the rules and request again the authorization of the customers.

  • Classification: Is sensitive data classified separately?

If the answer is no, draw a plan to classify it correctly and determined by the GDPR.

  • Processing and Transferring: Is the data anonymous or encrypted? Is it possible to identify the data?

Data security is an essential factor in protecting customers. In the roadmap, include actions to ensure the quality of data encryption to anonymize it.

  • Permissions: Is there control over data access? Is there a data governance policy in the company?

To ensure even more security and compliance, it’s essential to have an area responsible for data access permission, assuring control.

Consent to use of data

After the entire analysis and planning phase, the company must renew the consent of its database. The objective is to specify the new rules for the collection, use and storage of personal data of customers and people who have contact with the brand.

It may be that during this process the database will decrease since the person has the right to revoke the use of the data at any time. On the other hand, this guarantees suitability for the GDPR and the quality of information available.

This moment can be an opportunity to get to know customers even better.

GDPR and Artificial Intelligence

Several technologies use data so that the results achieved by them are more accurate, this  is also the case of  artificial intelligence, which is powered by data. The information used by AI is, in general, to profile and offer personalized and rich experiences.

A very common example is the recommendation systems, which guide according to the person's browsing preferences.

In addition, intelligent systems like Alana Chatbot or Alana Reply can collect public data and make humanized interactions, all based on a proprietary artificial intelligence algorithm. 

So what changes to AI under the GDPR?  It is essential to make it clear to customers that the company uses technologies that use artificial intelligence, such as service chatbots that take advantage of data for the purposes of Customer Care interactions.

In addition to the GDPR, the artificial intelligence market has undergone an evolution in terms of its own regulations, to ensure the development and creation of safe AI technologies that comply with international quality criteria.

Risks of not complying with the General Data Protection Regulation

Some people believe that the financial fine is the main risk of non-compliance with the GDPR, but in a globalized world, with a lot of access and dissemination of information, failing to enforce the Law is extremely damaging to the brand as a whole.

It is easier to recover monetary gains and investments than to regain people's confidence.

For this reason, it is worth investing resources in the implementation of strategies focused on GDPR, from establishing people responsible for governance and data management, to the use of technological tools to improve the use of information available for customer service.

Want to learn more about how technology impacts the customer service and data usage process? Check out the Customer Care = Humans + Technology Webseries, with the participation of the CEOs of Netshoes and Polishop.



personagens escrevendo




Você também pode gostar:


[Video] Leaders of the future: chat with Luiza Helena Trajano

Creating a digital business and expanding it is not a simple task, it is necessary to invest time and money in technolog...


Black Friday: the challenge of sales volume increase and customer service

Black Friday is the most anticipated large-scale promotion of the year. It is the chance that the consumers have to take...


Artificial Intelligence and the Future of Communication Between Humans and Machines

Interpreting the human language is essential for communication between humans and machines. It happens through the natur...

Receba insights sobre
Inteligência Artificial por e-mail,
na medida certa.