Business SMS, Live Chat, and GDPR Compliance

The regulation governs the use and storage of personal data of EU citizens regardless of the location it was acquired. The way data is collected — text message, web form or onscreen prompt — must also illustrate how it will be used. Companies must now provide a way for users to opt-out of communications and process these requests quickly.

Up to the introduction of the GDPR, real time communication methods such as SMS and live chat allowed organizations (public, private companies, governments, etc) to collect data through their interactions with website visitors or customers. Organizations could go on communicating with customers and hold on to the information collected for as long as they wanted.

That customer data could be plucked from a database to be used for marketing efforts at any time. Little consideration needed to be given to the length of time the user was last active nor the reason they first made contact.

Now, companies must change how they interact with users and store the data gathered over time. Understanding what kind of data has already been collected is an important first step in working toward GDPR compliance. Many organizations have already been collecting personally identifiable information over SMS or live chat. Examining this historical data is a good way to determine the sort of information users tend to provide as some may need to be removed since it can be stored only as long as necessary.

The GDPR demands companies gain consent before collecting or processing personal data and there are requirements for how that consent can be requested. A person can give consent through a check box on a web form or by email, for example. Consent must be obtained in a format that is easy to read and allows the user control over the choice. Giving users a choice is key. For example, consent is rendered invalid if it is a required condition to use a service or receive a resource like a whitepaper.

Requesting consent can be achieved through a variety of opt-in methods. Apps and websites can provide onscreen explanations or pop-up notifications to show users what data is being collected and explain what happens after submission. The GDPR specifically prohibits the use of pre-checked options so be sure to avoid using them.

SMS double opt-in can provide users a way to explicitly request communications. This requires the user to send a specific code in order to subscribe or request offered information. A confirmation message sent to the user requires a final response in order to complete the request. Users can unsubscribe quickly by replying to any previous message sent.

The GDPR requires organizations to protect private data but also to keep records of how data and consent was obtained. The context around a request for consent is especially important to prove it was lawfully obtained. Consent without supporting documentation of how it was obtained is now invalid.

Companies should be prepared and capable of removing data when requested and lawfully required to do so. If finding and removing data in a timely manner is an issue, modifying existing data workflows may be in order.

The GDPR has added some layers of complexity to marketing and customer communications and how they are practiced must be adjusted to accommodate the new rules. The extra steps required for compliance may seem like a burdensome process but the benefit of engaging with your customers on their preferred communication channels far outweighs – especially for forward-looking brands.