Contact centres are one of the main holders of customer information in the business world, meaning it is essential that they keep data safe and secure to maintain a trustworthy relationship with current and potential clients. Customer information makes up such a big part of contact centres, and a lot of data can be gathered from customers getting in touch via multiple channels, sales or marketing calls and call recordings from customer interactions. As such, considering how your contact centre is compliant with data security laws can be a little daunting. The two main requirements a contact centre needs to meet are GDPR and PCI DSS compliance, so in this article, we will explore these regulations and how you can enforce them in your business.
Why is maintaining compliance so important?
You may be wondering why compliance with GDPR and PCI DSS is so important, and the simple answer is that it is now the law to be GDPR compliant, and any company that accepts payments must be PCI DSS compliant. It is very important to follow the appropriate guidelines to ensure your business is in line with GDPR and PCI DSS laws, as if a company is found to be non-compliant following a data breach, hefty fines are likely to be issued. Non-compliance with GDPR law can lead to a €20 million fine, or 4% of annual worldwide turnover (whichever figure is higher) if data is breached. In the case of Target, a data breach ended up costing the company a whopping $61 million.
While money is certainly a key motivator in ensuring compliance, maintaining GDPR and PCI DSS compliance is also essential for customer happiness and loyalty. Data breaches can cause irreparable damage to your brand’s reputation, with company data breaches often leading to customers jumping ship to other brands or providers.
Ways to Maintain GDPR Compliance
There are a number of ways in which GDPR compliance can be implemented and maintained. Firstly, all data should be reviewed as it is gathered with the question: “is this needed?”. Question how you would justify having sensitive information on clients on record if a data leak did ever occur, and if there is no reason for you to keep the data, besides using it for marketing reasons, then it should be removed from the system. For call centres, all recorded conversations must be justified too; simply saying that the recording is for training purposes is no longer adequate as customer consent is required. Calls can be recorded if consent is given; it is part of a contract or legal requirement or is necessary for the interest of the participants or the public.
All data that is recorded should be fully encrypted, making personal information harder to uncover if a data breach is suffered. However, while information should be hidden, it still needs to be easily trackable, so that it can be easily removed if the customer requests their information to be taken off file.
Access levels of staff within the contact centre should be reviewed with GDPR in mind. Only some members of staff will need to see a full customer record when dealing with a case; for the most part, lower level agents may only need to see a client’s name when taking a call, so access privileges should be reviewed accordingly. Another way of protecting customer information is to hold personal or sensitive information away from other details of a customer’s interactions so that a full record is not available. This will help in the event of a data breach, as there will be no full customer reports, as well as making staff access rights easier to manage.
In addition to this, contact centre staff should receive additional training in regards to reporting on the outcome of a call. Under GDPR, customers can now request a Subject Access Request for free, which will allow them to see any comments made during a call. Staff must be appropriately trained in order to not make any potentially offensive comments following a call – no matter how difficult or irritating the call was – as a customer may now be able to have access to this information. If any work is outsourced, then it is essential that the company you are outsourcing to is also following GDPR regulations, as you are still responsible for the data that they are using.
Ways to Ensure Data is PCI DSS Compliant
If your company accepts payments via card, then it must be PCI DSS compliant. You can find out more about the requirements of PCI DSS compliance in our guide. There are six main objectives for PCI DSS:
1. Secure Network
The network must be secure with strict security and strong firewalls for companies that store information about customer’s credit card details.
2. Encryption
Under PCI requirements, no CVV codes may be stored; however, if other info is required such as account numbers, cardholder names or card expiry dates, encryption for this information will be required.
3. Security
Security software, such as anti-spyware and malware protection, must be used.
4. Monitoring
The network should be regularly tested to ensure that it is still compliant with PCI DSS requirements.
5. Documented
A formal information security policy must be created for the company, and it must be adhered to.
6. Restricted
Sensitive data should only be available to those who need to access it. Restricted access should be given to agents who do not need to be privy to a customer’s full details.
While following these steps will ensure you are following the basic requirements of PCI DSS, there are a few other ways in which you can ensure your business is compliant. Eliminating the need for customer’s to read out card details or passwords by employing a secure self-authentication system allows sensitive information to be safely entered via phone keypads. This can allow call recordings to run the whole way through the conversation, so that no human error can occur with agents turning the call record on and off to protect data.
Simple ways to maintain PCI compliance within the contact centre are to swap pen and paper for whiteboards, as this will ensure that any notes made during calls are only temporary, so agents cannot jot down any sensitive information. Likewise, personal devices can be banned for agents, so that no sensitive data can be stolen via mobile phones, or similar devices, which would be able to record, note or photograph data.
If you are a contact centre looking for a way to ensure PCI DSS compliance in the UK, then Hostcomm’s hosted predictive dialler offers a solution that can guarantee security for your customers. Providing superior protection across the whole platform, our hosted predictive diallers are secure to ensure all customer data is safe. If you would like to find out more about what Hostcomm can offer your business, get in touch today!
