Jump to content

  • Quick Navigation
Photo
- - - - -

GDPR(General Data Protection Regs) and Customer Complaints


  • You cannot start a new topic
  • Please log in to reply
2 replies to this topic

#1 dani2511

dani2511

    Grade - Active

  • IFSQN Active
  • 9 posts
  • 1 thanks
0
Neutral

  • United Kingdom
    United Kingdom

Posted 08 June 2018 - 09:56 AM

Hi all,

 

We are a small company with no data protection officer - all data protection is being handled to the best of abilities by our HR Manager and E-Commerce Marketeer.

 

I am trying to implement a BRC Standard but due to the new GDPR regulations, I am wondering how much detail should we be expected to hold regarding customer complaints? Should we forgo the customer details section and simply categorise the customer (i.e. consumer, retailer, distributor) for trending?

 

How much detail are you holding in your complaints forms/logs following the new regs coming into force?

 

Our customer services team will need to hold the customers details somewhere to respond to the complaint, but would the QMS records need to hold this data too?
 

Apologies - inexperience and unavailable resources has lead me here!

 

Thanks everyone.

 

 



#2 GrumpyJimmy

GrumpyJimmy

    Grade - MIFSQN

  • IFSQN Member
  • 122 posts
  • 28 thanks
2
Neutral

  • Wales
    Wales
  • Gender:Male
  • Location:South West
  • Interests:IronMan Competitor & Film lover
    IFSQN Member of the Month July 2017 and chuffin proud!

Posted 08 June 2018 - 10:47 AM

Hi dani2511, a minefield is what it is! A few key points below but according to GDPR,organizations must:

 

  • Only process data for authorized purposes
  • Ensure data accuracy and integrity
  • Minimize subjects’ identity exposure
  • Implement data security measures

It's a difficult one to interpret but i have read it as you must keep as little data on a person as necessary to identify them, they have a right to have it deleted and you must have sufficient data security to fend off pesky hackers who outside the context you use the data for, won't be able to use it for criminal means.

 

Personally we have customer records who have a specific identifying code number and with regards to complaints etc i use the code to identify them so if there is a problem i can further get their info.It means we are not doubling up on peoples data which might become inaccurate and there is less data to find. 

 

That's all i got, sorry

Jimmy



#3 wil08

wil08

    Grade - Active

  • IFSQN Active
  • 5 posts
  • 0 thanks
0
Neutral

  • United Kingdom
    United Kingdom

Posted 26 June 2018 - 11:35 AM

Hi, we are also in lengthy discussions with this topic -it really is a mindfield.

With regards to customer complaints, the key personnel responsible for collecting the customer's info (i.e. Technical/QA or sales/account manager / general company email) should restrict the access to the customer's personal information from other employees (so we ensure certain folders on the network are restricted access).

 

We have also created a risk assessment document which clearly lays out all the personal data we collate (we also specify which department so for us it would be the technical department) and list out all the documents/personal info you would keep (Medical questionnaires, customer complaints, supplier approval contact information, training documents) & for HR e.g. would be they keep Return to work forms, sick lines and other Very confidential info on staff. So you risk assess each area for the risk of exposure and how risky it would be if someone else was to obtain this personal information = so for example, the risk is higher for HR records such as sick notes being in the wrong hands than the risk of a customer complaint log which only specifies the customer name & address (no medical history or very personal information held). 

This is how we are firstly approaching this and it is a good exercise to do, as it helps you think of all the documents you are actually keeping - as on a daily basis you do not step back to think about this all - or the consequences.

 

Also a good idea i think would be to conver the medical questionnaires onto paperless / ipads if possible - this prevents the actual medical questionnaires from sitting exposed at reception (especially if reception is un-manned) as other visitors could nosy through previous questionnaires if these are left sitting and not filed away. 

If you have these paperless & use a tablet to record the info, it is then very secure, confidential to the relevant employee who requires this information (Technical manager - to assess if the visitor can enter the factory floor) & there is no risk of the paperwork getting into the wrong hands...

 

We are still learning more about the new law - and ensuring our teams are all receiving training on GDPR to ensure all are briefed on this & know what is expected of them. If we can be seen to be taking action and keeping the data safe, then it will all help towards compliance.

 

For BRC implementation - we do keep a log of all our customer complaints (electronic log) which is document controlled, and the log is only accessible by Technical team, and the key complaint information (excluding the customer details) are then cascaded around to the relevant teams when required (for weekly management meetings) so this helps us comply with BRC clause 3.10 - as long as you are recording the key info, investigating, RCA & documenting corrective actions and trending as required - you can keep the confidential customer info (address/details/name etc) in the 1 department - with the 1 key person in the company and keep access restricted. You obviously still require this information to get in touch with the customer so it is needed to an extent.

 

Also, you could send a privacy statement in relation to GDPR out to the customers to ensure they agree for us to use / keep their personal data & ensure they agree - this would help keep it all right - and if they ignore the statement / do not reply within a certain timeframe, then take this as acknowledgement of receipt and agreement. 

 

A lot to think about, but I am sure with further training we will figure it all out.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users