When it comes to Data Adequacy, it’s been a slow process for the UK to gain full agreement from all the EU institutions and although we cannot be 100% sure, it’s now looking almost certain that the EU will deem the UK’s data protection regime ‘adequate’. This will then allow data transfers to continue between the UK and EU as it does at present. For further detail from ICO click here.

The lawyers’ lament

An ‘adequacy’ decision is one of the most important rulings needed to ensure uninterrupted trade in data and services for the UK with the EU, post-Brexit. Without this decision, thousands of individual contractual arrangements would have to be created to cover companies needing to transfer personal data between the UK and EU and vice versa. As we’ve explained before, aside from all the business process disruption that would be caused if the UK’s data protection regime was to be ruled inadequate, there would be a massive, direct legal cost – as covered in our previous article. The New Economics Forum estimated in a recent report that the legal work necessary without an adequacy decision would have cost British businesses between £1bn and £1.6bn. Listen carefully and you can hear the quiet sobbing of contract lawyers missing out on all that work. Tragic!

Transatlantic troubles

So, the adequacy decision is great news, but here’s something else to worry about.

The Privacy Shield was an arrangement designed to provide a mechanism for personal data to compliantly flow between companies in the US and the EU. However, the framework collapsed last summer after being ruled invalid by the European Court of Justice in the Schrems II case – for details click here

You might not directly deal in the personal data of individuals in the US, but it would be a rarity for an organisation not to use any US based technology or solutions that make use of data centres in the US. If so, then you need to address this challenge. Remember, the legal definitions of data processing are extremely broad, so having static data in storage in the US or even being visible on an ad hoc basis to a support engineer working on a case both count as ‘processing’.

There are many organisations that still haven’t managed to create alternative arrangements to transfer personal data across the Atlantic. The EU is working on a replacement for the Privacy Shield, but there is no guarantee this can be agreed any time soon. The data protection regulators, like the Information Commissioner’s Office in the UK, aren’t rushing to penalise companies still transferring data under pre-existing arrangements. But those legacy arrangements aren’t compliant and your business partners, clients and risk management colleagues are all likely to start looking for businesses to put a solution in place.

More work for you and the lawyers!

To create a solution you will probably be reliant on using Standard Contractual Clauses (SCCs) as the basis for transferring data legally. SCC’s are a type of agreed and boilerplated legal solution that provides an outline framework to ensure that both parties are handling data compliantly, onto which the specific business and process details are added. Unfortunately, the SCCs are in the process of being amended and updated – for further information click here.

There are draft new versions you can make use of, but you might find that your commercial law firm will soon need to change them again if the final version is different. So, more cost and more uncertainty, but good news for those work-deprived contract lawyers.

So, at the last minute and just in time for Christmas, the EU and UK agreed a post-transition Brexit trade deal. If you read our article published just a few days before Boris and Ursula settled their fish-based disputes, then you would hope that the deal included the vital EU ‘adequacy’ ruling on UK personal data protection rules. Unfortunately, this was not the case.

The parties have agreed a 4-to-6-month extension to the current arrangements, so personal data can continue to flow between the UK and the EU, but that looks like the final extension.

What does ‘Processing Personal Data’ really mean?

It is a broad definition. ‘Personal data’ is essentially anything that can be used to identify a real, living person and ‘Processing’ covers just about any activity that involves that data. It is not just for the use of communications e.g. making calls, sending emails and messaging on social channels, but analyse, segmentation and even simple data back-up on storage can count as processing.

Implications of a no adequacy ruling

If the EU does not give the UK an ‘adequacy ruling’ then, as stated by the government, the implications for data handling are that UK data being passed to Europe will be covered by existing laws, but if EU data is sent to the UK, it could contravene data privacy regulations. For pan-European operations, this will pose serious new risks.

If the UK’s rules are not considered adequate by the EU, then a raft of new contractual arrangements using Standard Contractual Clauses (SCCs) will be required. According to a report from the New Economics Foundation and UCL European Institute ‘The Cost of Inadequacy’, “the aggregate cost to UK firms would likely be between £1 billion and £1.6 billion”. Most of which would be the cost of commercial legal work to implement the necessary SCCs.

Are you feeling lucky?

So, should you start to worry about this now and give your lawyers a call?

You may well imagine that as the UK uses the EU-wide General Data Protection Regulation (GDPR) as the basis for its data protection rules and the 2018 Data Protection Act, then the European Commission would have no alternative than to grant the UK an ‘adequacy’ ruling. But that is not the case. A large number of data privacy professionals and data right groups argue that the UK does not reflect EU standards in its collection and processing of personal data, especially in the areas of national security and data sharing with other friendly states, so shouldn’t be granted ‘adequacy’. It is worth noting that the European Commission has so far ruled only a small number of countries’ personal data protection to be adequate (Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay).

Do not forget the Privacy Shield

In the meantime, if you have clients in the USA or use technology solutions with data centres in the US, there is something else you need to pay attention to. Since 2016 an arrangement agreed between the US government and the EU called the ‘Privacy Shield’ provided a framework for US and EU companies to compliantly transfer personal data across the Atlantic. Last summer the Privacy Shield collapsed when the European Court of Justice ruled it invalid over concerns that US corporations are subject to making personal data available to US Government agencies.
This may seem like old news, but many organisations are only just waking up to the implications of it. For most companies, there is a solution that will allow appropriate personal data transfers to continue, but unfortunately, once again that is likely to be reliant on Standard Contractual Clauses, lawyers and considerable expense.

What to do?

To manage your risks there are two key pieces of advice we can give to all businesses who use private data in any way, whether for outbound sales, customer service or sales order processing:

As a last consideration, check all your IT service providers. Do you really know where your call recordings and network data backups are stored? Identifying where your data is held is essential. If hosted in the cloud then find out where the data servers are located and if your technology provider is unable to provide this information, then your business could be at risk and alternatives should be considered.

If you are unsure how to assess your risks and responsibilities now the UK has left the EU, get in touch. We can advise you about the risks you need to consider and potential ways to mitigate them.

As we head towards the end of December 2020, it is looking increasingly likely that Britain will leave the EU without a deal, or with an “Australia type deal” as described in some parts of the press. Although GDPR has been passed into UK law in the Data Protection Act 2018, leaving the EU without a deal will have some significant implications for how the rules around data privacy will apply in the UK in 2021.

The UK Government’s current stance is that ‘The EU is conducting a data adequacy assessment of the UK. If the EU grants positive adequacy decisions by 1 January 2021, it would mean that personal data can flow freely from the EU/EEA to the UK, as it does now, without any action by organisations.’

However, if we leave without a deal and the EU hasn’t given us an “adequacy ruling” then, as stated by the government, the implications for data handling are that UK data being passed to Europe will be covered by existing laws, but if EU data is sent to the UK, it could contravene data privacy regulations. For pan-European operations, this might pose serious new risks.

What is the UK’s data privacy situation as we leave the EU?

If the UK’s rules aren’t considered adequate by the EU, then a raft of new contractual arrangements using Standard Contractual Clauses (SCCs) will be required. This is according to a report from the New Economics Foundation and UCL European Institute ‘The Cost of Inadequacy’. The report estimates “The aggregate cost to UK firms would likely be between £1 billion and £1.6 billion.”, most of which would be the cost of commercial legal work to implement the necessary SCCs.

Add to this, the arrangement between the US and EU called the ‘Privacy Shield’ which was struck down by the EU over concerns that US corporations are subject to making data available to US Government agencies, which the EU considers a data risk. This creates additional implications for data sharing wider than the EU and UK in the western hemisphere.

How can you prepare to be Data Privacy compliant?

The EU has released some draft Standard Contractual Clauses which data controllers and processors can use to remain compliant in 2021 and beyond. Already, several commercial law firms are preparing advice which data owners can use to assess their position with respect to data from the UK, EU and other countries including the US. This may come at a price, so here is a very summary of the impacts that we expect to see:

If you have UK data which you store and process in the UK, your operations are not likely to be affected in the short term, as long as they are already compliant.

If you have UK data which is stored or processed in the EU, you are also not likely to be significantly affected in the short term. The EU’s rules should be enough to protect you against the most likely risks.

If you have EU data which you store and/or process in the UK, you should review your risks and the new SSCs may be needed to assure your compliance. This will apply if you use many nearshore outsourced customer service or data processing teams.

If you are a global operation with data from different regions which is transferred across borders, your situation may be complex and will need looking at carefully.

What is best practise in tomorrow’s data handling world?

To manage your risks there are two key pieces of advice we can give to all businesses who use private data in any way, whether for outbound sales, customer service or sales order processing:

  1. Minimise the amount of data you store per contact. The less data you store, the less likely it is to get you in trouble. Avoid storing risky data such as payment details unless absolutely necessary to your business model.
  2. Minimise the places you hold data. If your data is stored and processed in only one location, the amount of regulation is minimised. Also, the lower number of transfers your data has to undergo, the lower the risk of breaches of privacy, or indeed of your business inadvertently falling foul of the regulations in one region or another.

As a last consideration, check all your IT service providers. Do you really know where your call recordings and network data backups are stored? Identifying where your data is held is essential. If hosted in the cloud then find out where the data servers are located and if your technology provider is unable to provide this information, then your business could be at risk and alternatives should be considered.

If you’re unsure how to assess your risks and prepare for your future once the UK leaves the EU, get in touch. We can advise you about the risks you need to consider and potential ways to mitigate them.

India’s regulations governing outsourcers have recently been relaxed, making it much easier for contact centre agents to work from home and lowering the barriers to entry for businesses wanting to offer outsourced services from India. What does this mean for businesses using outsourced labour to meet customer service demand?

The slimmed-down regulations, announced earlier this month, mean that Indian outsourcers do not now need to register their premises, whereas previously every office used by an outsourcer was required to go through a registration process. There is also no longer any need to give static IP addresses for all operatives and the previously required bank guarantee per seat has been abolished.

This means that outsources in India can now create wide VPNs enabling voice and data to be shared throughout the country and across other countries too.

On the positive side, the new regulations mean that Indian outsources will be able to react to the global shift towards homeworking and counter the move by businesses to move their operations back onshore, nearshore or inhouse, which could potentially have a devastating effect on India’s huge outsourcing sector.

What do you need to know?

Amazingly for any UK reader, the new regulations span just eight pages. You can read the entire document as published by the Ministry of Communications, Government of India, 5th November 2020, in a few minutes here.

Although there are requirements to make call data, secure system access logs and other details available on request, there is no obligation to submit these regularly or register them in advance. The emphasis in the new regulations is on correction rather than prevention of issues.

Is your business outsourcing to India?

These new regulations may make it easier for poorly managed or even unscrupulous operators to work more easily in India. However, it is important to consider that they also make working from home practical for an industry that needs to adapt to a rapid global shift in the way contact centres work.

If you are using Indian outsourced service providers, ensure that their own operating parameters reflect what you need. Seek assurances that data is handled securely and that their systems are safe. Many established outsourcers will already have implemented good data handling and security infrastructures. Make sure that your customer data is safeguarded.

In short, there is no need to stop using reputable outsourced contact centres or remote business process handling. There is, however, an increased pressure to obtain the assurance that your customers’ data is, and will continue to be, handled securely and safely.

Want to assess your potential risk?

If you are unsure how to assess your risks with offshoring parts of your operations, we can help? We have a team of experts who can advise and assess your operation and if required, a network of fully vetted reputable outsource contact centres and technology providers who can provide alternative options to ensure your operations are safe and secure.

Although there are presently no reliable statistics, it is our understanding, from talking to our contact centre partner network and clients, that hundreds of thousands of contact centre based agents are now handling customer contacts from home.

Amidst all the uncertainty, distress and economic damage that Coronavirus is causing, there have been some positive outcomes. One of these is the impressive way in which the planning and implementation of large technology projects, like the mass shift to home working, has been achieved in only a few short weeks.

However, contact centres who have moved quickly to wholly distribute their workforce are still faced with massive operational challenges including erratic levels of demand, huge changes to channel usage and how to engage, motivate and support staff without a physical connection. But there are also key and often pressing regulatory and compliance questions to be understood and addressed.

How do you prioritise?

Having the responsibility for maintaining customer experience and engagement in the new ‘virtual’ contact centre is a particularly tough task. So, who has the time to ponder what the contact centre homeworking compliance issues are?

Increased risk exposure

In these times of rapid change, meeting compliance and regulatory needs must be underpinned by a focus on prioritisation. Many areas need to be reviewed and changes made, but while some can wait, others really cannot.

The simplest approach is to take a risk-based view. For most organisations, their biggest risk and exposure through contact centre homeworking is not regulatory, it is criminal.

Although many brands and customer management service providers have responded very quickly to Covid-19, criminals and fraudsters have been quicker still.

Fraud

Home-based workers, remote from their usual support and information sources, are potentially vulnerable to fraudsters. To add to this risk, many customers are being faced with new personal and financial challenges. Whilst, organisations are having to handle an increased level of demanding and emotional contacts. Criminals will exploit this emotionally charged time, by emulating stressed customers to gain leverage and access to sensitive information.

If data and payment management systems and processes are already insufficiently secure, there is the additional danger that employees may be persuaded or threatened to copy and share data. Data security flaws in a traditional contact centre environment will be just amplified in a home-based environment.

Data Protection and the Information Commissioner’s Office (ICO)

The ICO realises that it needs to avoid standing in the way of organisations’ Covid-19 coping strategies. The ICO has said “We understand that resources, whether they are finances or people, might be diverted away from usual compliance or information governance work. We won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period”.
Specifically, on homeworking the ICO says “data protection is not a barrier to increased and different types of homeworking”. The following excerpt from their own information states:

More of our staff will be homeworking during the pandemic. What kind of security measures should my organisation have in place for homeworking during this period?

Data protection is not a barrier to increased and different types of homeworking. During the pandemic, staff may work from home more frequently than usual and they can use their own device or communications equipment. Data protection law doesn’t prevent that, but you’ll need to consider the same kinds of security measures for homeworking that you’d use in normal circumstances.

This is an empathetic stance but data protection can create a business process hurdle that organisations need to clear. The ICO’s ‘softly-softly’ approach to enforcement suggests that homeworking can be implemented now without an onerous review of data protection rules and procedures, but that work will need to be done as soon as you can. Create a diary note
Anecdotally, some contact centres have reported increased contact and conversion rates on their proactive outbound calling. More generally a largely captive nation of consumers is encouraging some businesses in specific sectors to accelerate their marketing efforts. If these opportunities require either the acquisition of 3rd party prospect data or new/extended proactive contact methods and channels (phone, email, social), then organisations need to tread warily. The use of inappropriate or non-compliant data sources and misuse of communication channels, against Ofcom or PECR rules, can leave organisations wide open to fines, reputational damage and the closure of revenue streams.

Payments

Contact Centre Panel’s John Greenwood has already highlighted the risks of not ensuring that card payments taken by homeworking staff are PCI-DSS compliant, as detailed in our recent article. Remember, the ICO explicitly states that in the event of a data breach then if an organisation has failed to follow the PCI-DSS rules, then the ICO will hold that against them.

The ICO states; “Although compliance with the PCI-DSS is not necessarily equivalent to compliance with the GDPR’s security principle, if you process card data and suffer a personal data breach, the ICO will consider the extent to which you have put in place measures that PCI-DSS required particularly if the breach related to a lack of particular control or process mandated by the standard.”

Insurance

The insurance industry, in part due to government encouragement, has responded flexibly and helpfully to business change in the face of Covid-19. Most insurers have extended liability cover to include staff now working from home, as well as continuing to cover IT equipment (all those newly purchased laptops!) now located in employees’ homes rather than in offices.

However, it is best to check with your business broker or insurer to ensure you are covered.

Health and Safety

The Health & Safety Executive requires employers to conduct workstation assessments of staff using Display Screen Equipment (DSE), whether staff are office or home-based. The HSE says that there is not a requirement if staff are working from home ‘temporarily’, but as time goes on some contact centre home working is likely to feel semi-permanent.

Beyond DSE, the Health & Safety Executive states that employers must consider:

• How will you keep in touch with them?
• What work activity will they be doing (and for how long)?
• Can it be done safely?
• Do you need to put control measures in place to protect them?

This applies whether the home working arrangement is permanent or just for the short-term. The best contact centre employers are mindful of this, but there are financial and health risks to both employees and employers if these measures are not in place.

Wellbeing

Although it is not really hit the regulatory radar, yet, many contact centres have been at the forefront of recent initiatives to recognise the importance of maintaining good mental health in the workforce. At a time of societal change and increased awareness of anxiety and stress, the importance of the role employers play in helping staff remain focused and effective has never been greater. Ensuring the continued emotional support of contact centre staff, at all levels, needs to be maintained in parallel with working out how best to maintain motivation, morale and operational performance.

Contact Centre Panel Network members are subject to compliance reviews. To join and then remain a partner they need to have the right level of expertise to navigate the rules and regulations needed to ensure that marketing and communication efforts remain compliant.

How can CCP help?

We have a team of specialists able to advise, clients and network members, on data compliance, the latest industry regulations, and best practice. Our services also extend to marketing data sourcing, contact centre training and engagement, wellbeing and secure payment processing.