• Home
  • Blogs
  • Business SMS, Live Chat, and GDPR Compliance

Business SMS, Live Chat, and GDPR Compliance

A woman is sitting in front of a green wall.

By Jean Shin, Director, Enterprise Solutions

| 4 minute read

GDPR brought many changes that affect customer communications and requires extra obligations for retailers to stay in touch. However, Mobile Chat and SMS have proved to resolve customer issues fast and efficiently. Hence, for companies, obtaining and maintaining user permission to connect, on channels they use most, is worth the extra effort required.

The enactment of the GDPR brought many changes that affect customer communications and brings with it extra obligations on retailers to stay in touch. But obtaining and maintaining that permission to connect with consumers on channels they use most is worth the extra effort required.

Mobile communications, SMS and live chat are widely used for different reasons. Mobile messaging because it gives consumers quick access to agents and systems that can resolve a problem, adjust an appointment or order. SMS meanwhile is a more effective mobile marketing channel than any other – a recent report found SMS marketing messages had a 98% open rate and messages were opened within three seconds of being received.

So what are the legal changes to how these vital tools are being used?

The new rules

The regulation governs the use and storage of personal data of EU citizens regardless of the location it was acquired. The way data is collected — text message, web form or onscreen prompt — must also illustrate how it will be used. Companies must now provide a way for users to opt-out of communications and process these requests quickly.

What has changed?

Up to the introduction of the GDPR, real time communication methods such as SMS and live chat allowed organizations (public, private companies, governments, etc) to collect data through their interactions with website visitors or customers. Organizations could go on communicating with customers and hold on to the information collected for as long as they wanted.

That customer data could be plucked from a database to be used for marketing efforts at any time. Little consideration needed to be given to the length of time the user was last active nor the reason they first made contact.

Now, companies must change how they interact with users and store the data gathered over time. Understanding what kind of data has already been collected is an important first step in working toward GDPR compliance. Many organizations have already been collecting personally identifiable information over SMS or live chat. Examining this historical data is a good way to determine the sort of information users tend to provide as some may need to be removed since it can be stored only as long as necessary.

The GDPR demands companies gain consent before collecting or processing personal data and there are requirements for how that consent can be requested. A person can give consent through a check box on a web form or by email, for example. Consent must be obtained in a format that is easy to read and allows the user control over the choice. Giving users a choice is key. For example, consent is rendered invalid if it is a required condition to use a service or receive a resource like a whitepaper.

How to obtain consent

Requesting consent can be achieved through a variety of opt-in methods. Apps and websites can provide onscreen explanations or pop-up notifications to show users what data is being collected and explain what happens after submission. The GDPR specifically prohibits the use of pre-checked options so be sure to avoid using them.

SMS double opt-in can provide users a way to explicitly request communications. This requires the user to send a specific code in order to subscribe or request offered information. A confirmation message sent to the user requires a final response in order to complete the request. Users can unsubscribe quickly by replying to any previous message sent.

Documenting the process

The GDPR requires organizations to protect private data but also to keep records of how data and consent was obtained. The context around a request for consent is especially important to prove it was lawfully obtained. Consent without supporting documentation of how it was obtained is now invalid.

Data erasure

Companies should be prepared and capable of removing data when requested and lawfully required to do so. If finding and removing data in a timely manner is an issue, modifying existing data workflows may be in order.

GDPR compliance and successful customer communications

The GDPR has added some layers of complexity to marketing and customer communications and how they are practiced must be adjusted to accommodate the new rules. The extra steps required for compliance may seem like a burdensome process but the benefit of engaging with your customers on their preferred communication channels far outweighs – especially for forward-looking brands.