Everyone wants positive growth. Perhaps not our waistband, but certainly everything else. It’s how capitalism works. Positive growth is a simple concept. Increase the number of new customer transactions, increase the frequency of existing customer transactions or increase the average transaction value. Deliver any one of those and growth is linear. Deliver all three and growth is exponential.

In the contact centre tech’ space we see lots of solution providers targeting firms that want to increase growth, whilst at the same time reducing cost to serve. They offer us great case studies of how they have increased operational efficiency, seamlessly delivered new customer communication channels and/or augmented people assets through digital assistants or BOTs to drive automation. This conversation is not about that. This conversation is about something far more basic and far more fundamental to the transaction process. Payments.

In my experience, when business managers think of contact centre payments, two things come to mind. One is taking payment cards over the phone. The second is the complexity of the Payment Card Industry Data Security Standard. Generally, the conversation ends abruptly when it comes to the PCI DSS. Usually, the discussion is never really that interesting and is likely to cost money. Plus people believe the PCI DSS to be so complex when it comes to contact centres, that it feels easier to pay the monthly non-compliance fines and increased transaction charges.

Well folks, there is another way to think about it and here is why. Just like we think of aligning our contact centre tech to engage with the customer – less friction, less cost etc, so we should think about payments. We know our customer communication strategy should align with how our customers want to engage with us, so why not our ability to take payments?

The point is that contact centre payments are just like contact centre everything else, they need to support how customers want to interact with us. And what does that mean in the context of growth. Well, the answer to that is simple. Just think about how you can take more payments from more customers more easily, at less risk and at less cost. Have a payments strategy and align it with how customers generally want to pay and enable that within all the communication channels you use to engage with customers.

Oh, and the PCI DSS thing? Just come and ask and we’ll simplify that whole thing for you.

However, if you work in contact centres and you were around from 2017 to 2018 when the EU’s General Data Protection Regulation (GDPR) and the last Data Protection Act went live, you may be less excited about the prospect of more change!

Following the previous Bill, millions of working days were spent trying to figure out what it all meant in practical terms; changing processes and procedures; ditching databases; confusing consumers with millions of ‘would you still like to hear from us’? emails; and preparing for a tsunami of data rights request contacts which never really happened.

Well, the good news is that the recently proposed Bill looks a lot more like a sensible tidying up of the rules (and the slightly vague promise of less data protection bureaucracy and admin), rather than a radical overhaul. The fundamentals will remain the same. The post-Brexit UK version of the GDPR will remain in place, alongside the 2018 Data Protection Act. For a business this is doubly reassuring, not only does it suggest fewer revisions and re-work to existing policies and processes, but it also means that it’s less likely that the UK’s rules will deviate so far from the EU’s that we lose our prized ‘adequacy’ status, which allows UK firms to process and transfer personal data with the EU with little friction.

There are many areas covered by the proposed Bill, but for most of us the key elements are:

If you would like to discuss these forthcoming changes and review your current approach to ensuring data protection and privacy, please drop us a line.

Source information: Data Reform Bill

It’s a conversation I’ve had more than once over the past few months, so let’s explore further:

What is ISO certification?

In layman’s terms, this is the official approval to show that you comply with one of the many international ISO standards that are in place currently.

What does ISO cover?

There are many (and I mean many) different ISO standards available. Covering things from IT Security to Environmental Management.

Do I need to be ISO certified?

The simple answer is no, however, it does truly depend on your current circumstances and future objectives.

When should I be considering ISO certification?

Again, this really does depend on your current circumstances. Many organisations go for a specific ISO certification because their clients demand it or it is required for a particular tender. Some organisations use it as a barometer of how well they are doing, and whether there are certain improvements they need to make.

If you are considering embarking on the ISO certification journey, we would suggest considering three key areas before setting off:

1) Cost: Be prepared to make a commercial commitment as part of the certification process and beyond. Whilst there will be an initial cost for the audit and award of the certificate, most businesses forget to track the cost of the internal resource they will need to engage with for the preparation and delivery of the ISO accreditation.

2) Time: Ensure that you book plenty of time in ahead of the audit date. Use this time to conduct a gap analysis against the standard, ensuring you cover all of the points ahead of the audit. You don’t want to go through this process more than once – it will cost you precious time and money.

3) Internal buyin: There’s nothing more important than to ensure you have all key business stakeholders on board before you set off. Some certifications, such as ISO9001 – Quality Management Systems, will touch upon all areas of the business. Delivering one, strong, united message across your business is pivotal.

Achieving certification may provide increased sales opportunities or identify risk/opportunities you were never aware of. All in all, the benefits that you gain will vary greatly depending on the ISO standard that you implement and the amount of effort you put into it.

Need a safe pair of hands as part of your ISO journey? Drop us a line.

The primary reason for these firms being fined was that they were calling prospects who they didn’t have a prior relationship with, whose numbers were registered with the Telephone Preference Service (TPS). This, as most of us should well know, is illegal. As covered in our previous articles – ICO flurry of fines and BTB sales and marketing ops compliance.

However, when the ICO levies a whole series of fines on firms in the same sector, with similar sales and marketing models, it’s evidence of other underlying concerns. Although the ICO’s Enforcement Notices only refer to 67 consumer complaints, these kinds of collective enforcement actions are invariably evidence of alarm bells ringing at the ICI’s Wilmslow offices about widespread misbehaviour. Here, the ICO has highlighted these firms’ targeting of vulnerable consumers, in this case the elderly.

Targeting the vulnerable elderly

Undoubtedly, judging by the evidence presented by the ICO, this is exactly what these businesses did. While it’s arguably unfair to judge a firm’s sales and marketing practises based on relatively little information, I think we can be confident that these firms were all at the malicious end of the ‘Ignorant vs Complicit’ spectrum of compliance awareness. They seem to have known exactly what they were doing, which is to deliberately target the vulnerable; selling on the basis of worry and fear, not value and consumer benefit, to those least well equipped to make informed decisions.

Scammers stick together

In an interesting example of geographical clustering, 4 out of 5 of the firms were located in East Sussex on the South coast, presumably showing connections to the biggest name in appliance warranty insurance, Domestic & General in Brighton (about which there is no evidence of the ICO having concerns, I hasten to add). So, even scammers like to stick together!

The vast majority of firms don’t set out to exploit or deceive, but

  1. Being a legitimate, respectable firm – even a blue-chip brand – is no guarantee you won’t be snared by the ICO, as the Royal Mail, American Express and Saga, which have all recently been hit by enforcement actions and fines, can attest
  2. Awareness of the prevalence and importance of vulnerabilities has grown. An understanding of vulnerability had increased before Covid 19, but the pandemic has accelerated it massively. Firms need to be able to both recognise and adapt to prospects and customers who are exhibiting signs of vulnerability

So, what can we learn from this raft of ICO fines? Does the rise of vulnerability awareness just mean that we can no longer sell to older people?

We sought the opinions of some members of the wider Contact Centre Panel network.

Are older consumers too ‘risky’ to market to?

Senior Response is a long-established outsourced contact centre “dedicated to communicating with the older consumer market”. So, what conclusions does Managing Director Michael King draw from the ICO’s slew of fines? Can firms still confidently market and sell to Mature consumers?

“We find that firms which utilise direct mail or online activity prior to commencing telemarketing activity not only have better results but give the customer and prospect the opportunity to know a little bit more about the business and ultimately be more receptive to being contacted.

We work very closely with our clients to ensure that we have a shared Vulnerable Customer policy, which outlines the process if we believe we have a vulnerable customer and what steps to take.

The other point I would stress is that firms should be aware that the adult children or grandchildren of many mature consumers are often part of the decision-making process and therefore your customer journey from marketing to sales, should incorporate this. We often arrange call-backs with our client’s customers to speak with the family member where permission is granted by the customer and requested by the family member. We all want to ensure our parents and elderly relatives are not being taken advantage of by the very things that the ICO have acted on.  It is our view that firms who are proactive in the examples I have mentioned, are more successful in marketing to this rapidly growing market.”

What really is vulnerability?

“Circumstances impact people in different ways – what makes one person vulnerable may affect another quite differently. Age, mental and physical health and financial pressures are all subjective. We believe it is important to communicate with people in the most tailored way possible according to their circumstances and use the tools available to determine what is appropriate.” Helen Lord, CEO, Vulnerability Registration Service

You can find out more about the Vulnerability Registration Service by clicking here

How can technology help?

Can the new technologies of machine learning and artificial intelligence play a part in helping firms identify vulnerable prospects and customers – and serve them better, too?

Keith Shanks of Vorth Technology Solutions helps make contact centres work more effectively through the application of AI (artificial intelligence) tools. Can they support centres involved in sales and marketing, especially when they are targeting groups which may contain vulnerable consumers?

“Advances in AI and Machine Learning (ML) now mean that all contact centres are able to highlight potentially vulnerable customers. As has already been highlighted, vulnerability comes in many different forms and it is the responsibility of companies to understand these and act appropriately.

The truth is there is insufficient attention given to vulnerability and if you consider the current economic climate, responsible companies should be paying more attention to the welfare of their customers and the right technology will have a huge impact on this.

We expect a mini-revolution in this field over the next few years as regulators also start using technologies to review and monitor call centre services.”

Financial services: What’s the FCA’s perspective?

Elanev provides dynamic scoring services to contact centres including propensity and best time for contact, propensity for purchase and propensity for financial resilience / vulnerability with no GDPR implication.  Elanev’s John Willoughby gives his practical guidance for the future of such financial product sales and marketing, in light of proposed regulatory changes:

“Financial product sales will be bound by the FCA’s proposed Consumer Duty requiring marketing firms to “deliver good outcomes for retail clients”. The FCA expects all reasonable steps to be taken to avoid causing foreseeable harm to customers. Harm being primarily financial, but may also include mental health effects.

The FCA is requiring firms to have a better understanding of their customers calling out the need to understand customer propensity for vulnerability and to harm. The FCA expects firms to predict behaviour and monitor outcomes recognising the need for data to support this. Common data sources include:

 To properly identify, quantify and assess vulnerability a combination of data sources may be needed. The specific combination depending on the depth of customer insight that the organisation has and the level of customer consent granted.”

So where does this leave us?

Helen Lord of the Vulnerability Registration Service makes clear that vulnerability isn’t simple or clear cut. The scammers recently fined by the ICO deliberately targeted older people, but not all older people are vulnerable. So, we all need to be more vulnerability aware and unavoidably some customer and prospect groups are likely to contain a higher proportion of people with vulnerabilities. Senior Response is dedicated to engaging and communicating with older people, but as Michael King explains, they do so in a sophisticated way. Senior Response and its clients make use of multiple contact channels and embrace more varied and flexible customer journeys. This might point the way for other sales organisations – and not just for those targeting the ‘grey market’.

A growing role for technology and the insights it can provide seems to be unavoidable and desirable. Vorth Technology Solutions’ Keith Shanks has explained how technologies like his can help identify the ‘growing’ number of vulnerable consumers. John Willoughby from Elanev shows that in the regulated financial services sector, especially, the smarter use of data across a combination of sources is now essential.

The ICO’s fines of exploitative scam marketers doesn’t mean that older consumers are now ‘off limits’ for responsible, ethical firms. But the fines do help highlight the growing importance of being able to recognise and respond to consumer vulnerabilities; not just as an ‘add on’ but in a way that is embedded into processes and customer journeys.

If you require guidance on any of the areas discussed in this article, please contact us.

On the 31 March 2022, the Payment Card Industry Security Standards Council officially announced the publication of v4.0 of the PCI DSS. In this article, we look at the declared goals of v4.0 and the key changes from the current version of the standard.

Three points to make upfront. Firstly, the PCI SSC has made this a big document. At 356 pages there are an additional 217 pages of guidance including the PCI SSC glossary, which makes the document much easier to use. Secondly, it has taken time for the document to be globally released, since first being announced in late 2017. Yes, Covid has been a factor, but so has the SSC’s objective to make this document inclusive. By reaching out to the secure payments community not once, but three times, receiving over six thousand items of feedback from 200 plus organisations the document adds flexibility whilst focusing entities on what is required to keep card data secure. Finally, the current version of the DSS, v3.2.1 will not be retired until March 31 2024, so there is a long transition period.

Goal 1 – Ensure the standard continues to meet the security needs of the payment industry

Released at the same time as v4.0 is a Summary of Changes document. This lists 64 new requirements, 11 of which just apply to third-party service providers. Whilst the secure payments community will always be playing catch up, the DSS certainly makes the effort to align to the current threat landscape, even though 51 of the new Requirements are not ‘effective’ until 31 March 2025.

Goal 2 – Add flexibility and support for additional methodologies to achieve security

As well as continuing with the ‘Defined’ approach with ‘Compensating Controls’, v4.0 introduces the ‘Customised’ approach. This is a new method to implement and validate PCI DSS requirements where entities demonstrate that they meet the intent of the DSS and can ‘adopt’ their own testing procedures, signed off by their (Qualified Security Assessor) QSA and acquirer.

Goal 3 – Promote security as a continuous process

In v4.0 this has been made a priority to dispel the notion that PCI DSS compliance is a once-a-year tick box exercise, much like an MOT. Whilst ‘roles & responsibilities’ has only two mentions in the current version, each of the 12 core requirements now have headline text that states “Roles and responsibilities for performing activities in requirement x are documented, assigned and understood.”

Goal 4 – Enhance validation methods and procedures

Whilst much of this goal is achieved by the introduction of the ‘Customised’ approach, we can see through the new supporting documentation for external auditors (QSA’s) increased alignment between information reported in a Report on Compliance and information summarised in an Attestation of Compliance. We expect to see more when the new Self Assessments are released in Q2.

So, in summary, a really helpful document that we have time to consider. Certainly the ‘Customised’ approach should prompt ongoing conversations, especially around the additional time, costs and effort involved for all stakeholders in agreeing to testing procedures, especially when it comes to sign off and liability in the event of a future data compromise. Food for thought!

The Information Commissioner’s Office (ICO) ‘never said’ that charities were exempt from all or most of the data privacy and protection rules that govern sales and marketing, however many people in the charity sector thought they had an exemption. Plus there were never any enforcement cases or fines of charities, so there was no evidence that the ICO did care about charities’ rule-breaking. 

Then, from 2015 and 2016, in the wake of the death of Bristol poppy seller, Olive Cook, charities’ fundraising techniques came under a lot of scrutiny and criticism. Inevitably, the ICO became involved and its investigations culminated in fining the following big-name charities in 2017 – see more. 

The International Fund for Animal Welfare, Cancer Support UK, Cancer Research UK, Guide Dogs for the Blind, Macmillan, the British Legion, NSPCC, Great Ormond Street, WWF, Battersea Dogs & Cats Home and Oxfam. 

This was a ‘shot across the bows’ of the whole charity sector, specifically highlighting the charities’ undeclared, hidden sharing of supporters’ data and income profiling (wealth screening). The total amount of the fines levied – £138,000 – wasn’t that great, but the reputational damage of what should be some of the most trusted organisations in the country was considerable. And the knock-on impact on charities’ fundraising business models contributed to millions of lost revenue for their causes.  

Incidentally, the ICO’s focus on charities’ marketing practises has diminished, but it’s not gone away as evidenced by this recent fine of a charity sending SMS appeals without consent. 

So what? 

That was and is a very challenging experience for charities, but most of us don’t work in the third sector. So, why the brief history lesson? Because commercial B2B sales and marketing may be about to go through a similar experience.

B2B’s wake up call 

Again, the ICO has ‘definitely’ never said that B2B sales and marketing isn’t covered by the data protection rules, though some aspects of the regulations are less stringent for business communications. However, a lot of B2B players certainly act like they’re excluded from the compliance considerations of their informed and professional B2C peers.  

Why? Well, partly because the ICO never fines organisations for B2B marketing failings. Or at least not until now. 

We all aspire to do the best for our prospects and customers, treat them with respect and in accordance with the law. But, inevitably, when these questions seem to be rather nuanced and not simply black and white, rational organisations will apply a risk assessment to guide their degree and prioritisation of compliance with regulations. So, if you operate B2B and the regulator seems to ignore your sector and business area then it’s reasonable to think that the level of regulatory risk you are exposed to is a lot less than in B2C.

All change 

A fine imposed by the ICO in late December suggests that things have changed. This case, described here, not only created considerable disruption to the operations of Northern Gas & Power, a business energy brokerage company based in Gateshead, it’s resulted in negative publicity, reputational damage and a £75,000 fine.

Northern Gas & Power largely sells its brokerage service to businesses through outbound calling to businesses from its two contact centres in Gateshead and Leeds. Northern operates – or operated – at scale, with over 4 million calls attempts made in the year from May. However, irrespective of volume there are a couple of clear lessons we can all draw from Northern Gas & Power’s experience.

  1. Northern failed to screen its calling data against the Telephone Preference Service (TPS) or the TPS’s little-known business number equivalent to the Corporate Telephone Preference Service (CTPS). As you will probably know, the TPS is the national ‘opt out’ register which needs to be referenced before undertaking any ‘cold’ or unconsented sales and marketing calling. Most B2C organisations are very aware of the TPS, B2B firms often less so – and the CTPS is largely forgotten by nearly everybody.

That will need to change.

  1. When the GDPR arrived here (as the 2018 Data Protection Act in the UK) there was a lot of talk about the fuzzy lines between individuals and companies. You can email hello@contactcentrepanel.com and that’s a business address, but sullivan@contactcentrepanel.com is my personal data. Similarly, the Contact Centre Panel office number 0114 2096120 isn’t anyone’s personal data (though it could be registered with the CTPS and thus off-limits), but my mobile number is. And for many companies, personal email and mobile will be the only way of making contact.

All these aspects need to be thought through, understood and managed.

  1. Northern purchased prospect data, but did not undertake appropriate due diligence of its suppliers to ensure they were compliant and reputable. It failed to ensure robust, defensible contracts were in place with its suppliers and didn’t test or audit the data supplied.

Buying third party data is now one of the most potentially fraught and risky activities an organisation can undertake and needs to be handled with deliberation and care. 

  1. As the ICO’s enforcement notice makes clear, Northern’s operational management, internal controls and processes were poor. Added to which its contact management systems – and Northern’s team’s ability to manage them – was very deficient, directly leading to poor data management and ensuring suppression requests were actioned.

Northern Gas & Power has experienced considerable growth and apparent success, but without sound operational, data and technology underpinnings, continued success is increasingly difficult to sustain 

Whether you exclusively market to businesses or do so in combination with targeting consumers, the ICO’s latest move strongly suggests that B2B has lost any real or imagined status as a data protection compliance exception.

Contact Centre Panel boasts many years of collective experience in B2C and B2B customer targeting, acquisition and service, supplemented by a deep but pragmatic understanding of how to design and operate business models compliantly. Contact Centre Panel can offer clients

Lesson 3 – Who’s calling?

About a quarter of all ICO fines – and half of the phone-based enforcement cases – involve the incorrect use of Caller Line Identification (CLI) numbers. As you probably know, there are the numbers presented on the customer’s phone when you call them.

Again, it’s Ofcom that sets the rules and regulations about the use of CLIs, but it’s the ICO who are pushing fines and enforcement. Misusing CLIs is a red flag to the regulator.

Simply put, CLIs should clearly identify the recipient of the call, be dialable, consistent and not confuse or mislead the consumer. In addition, if the customer rings the CLI number back you need to be able to inform the customer who you are and why you were ringing them.

That probably sounds very straightforward and you may be very confident about your use of CLIs. But that might not always be the case even when you feel you are being reasonable and fair:

Sadly, the answers to these questions aren’t always clear, but you need to work out your approach and justification if you want to avoid damaging legal action and fines. Need a hand? Let us know.

Even though none of these fines (which you can read about here) have had quite the amount of publicity you might think they deserve, they have all resulted in a degree of reputational damage, disruption to business plans and a chunk of unbudgeted costs. What do Boris Johnson, Len McCluskey, Philip Schofield and Mike Ashley all have in common? The thing that links this peculiar group is that their organisations, parties, or companies have all been fined by the Information Commissioner’s Office (ICO) over the past few months for illegal marketing activities. Even though none of these fines (which you can read about here) have had quite the amount of publicity you might think they deserve, they have all resulted in a degree of reputational damage, disruption to business plans and a chunk of unbudgeted costs.
Boris, Len, Philip and Mike are unlikely to form any one person’s ‘top 4 favourite people’ list, but each has their fans and supporters who might be surprised to see them involved in breaking the law in terms of how they market to consumers. Contact centres are squarely in the ICO’s line of fire and you should focus on making very sure that your brand or operation doesn’t find itself in the same position as Boris, Len, Philip and Mike.

We’ve been carrying out some analysis to help you do just that. Helpfully, in 2021 (to date) the ICO has imposed twice as many fines than it did in the whole of last year; part of a steady increase in the ICO’s enforcement action. (Incidentally, hardly any of these fines are imposed under the 2018 Data Protection Act – which is how the government turned the GDPR into UK Law – but are infringements of the far older and less well-known PECR rules. However, that’s another story)

Lesson 1 – Voice still rules (when it comes to breaking the rules)

[/vc_column_text][vc_column_text]We live in a multi-channel world, but when it comes to rule-breaking the phone is still the leading communication channel. Very few contact centres have phone calls as at least part of their channel mix, but those which make outbound calls need to be especially conscious of the rules.[/vc_column_text][image_with_animation image_url=”17959″ alignment=”center” animation=”Fade In” border_radius=”none” box_shadow=”none” max_width=”100%” margin_top=”25″ margin_bottom=”50″][vc_column_text]The rules include those governed by Ofcom which contain, but aren’t limited to, the use of predictive diallers. An area that we will be covering in a future article.

However, most enforcement is carried out by the ICO and invariably when companies are fined for their live calling its because they haven’t screened outbound calling lists against the Telephone Preference Service (TPS) register.

Well, that’s obvious.” You might say “People have been doing for that for over 20 years. Only crooks and scammers wouldn’t TPS screen!”. That’s partly true, but it’s not just the scammers who have been fined.

Sometimes, firms think they have a prior relationship or permission that means they don’t need to screen against the TPS. In some cases, having an existing relationship does trump the need to TPS screen, but not always and the criteria aren’t always black and white.

Need some help navigating the ‘TPS or not?’ question? Give us a call

In other cases, firms have been reassured that the external calling data they have been provided has already been TPS screened by the data provider, when in fact it hasn’t. The ICO has repeatedly made clear that it expects brands and data purchasers to undertake the checks and due diligence needed to ensure that data is compliant and legal. “Don’t expect; inspect!”

Contact Centre Panel can help with this unenviable challenge, too. See Lesson 2, below[/vc_column_text][vc_column_text css=”.vc_custom_1637692624887{padding-top: 25px !important;padding-bottom: 25px !important;}”]

Lesson 2 – 3rd Party Data? A first party problem

[/vc_column_text][vc_column_text]The incorrect or inappropriate use of third-party data – which is typically bought or rented to allow firms to access new potential customers – is a very common feature of the ICO’s enforcement cases, specifically mentioned in nearly half of them.

The whole area of the law and regulations around the identification and management of consumers’ personal data is complex and potentially fraught – especially when the data is provided by a third party.

As previously mentioned, as far as the ICO is concerned the compliance onus is on the data purchaser. Users of third-party data must undertake thorough due diligence of data providers to ensure they have a sound legal basis to use the data for marketing purposes, as well as having robust, enforceable contracts in place. This cannot be a ‘one and done’ or tick box exercise and should start with a thorough audit of the legal and compliance standing of the data provider.

Fortunately, Contact Centre Panel can help. We have undertaken a lengthy and detailed rolling audit of the legal and compliance status of over 50 data providers. As a result, Contact Centre Panel has identified a small group of providers – which offer data for use in a variety of channels – who we feel are well-placed to potentially offer legal and compliant assistance to contact centres and brands.[/vc_column_text][image_with_animation image_url=”17963″ alignment=”center” animation=”Fade In” border_radius=”none” box_shadow=”none” max_width=”100%” margin_top=”25″][vc_column_text css=”.vc_custom_1637692877224{padding-top: 25px !important;padding-bottom: 25px !important;}”]

Lesson 3 – Who’s calling?

[/vc_column_text][vc_column_text]About a quarter of all ICO fines – and half of the phone-based enforcement cases – involve the incorrect use of Caller Line Identification (CLI) numbers. As you probably know, there are the numbers presented on the customer’s phone when you call them.

Again, it’s Ofcom that sets the rules and regulations about the use of CLIs, but it’s the ICO who are pushing fines and enforcement. Misusing CLIs is a red flag to the regulator.

Simply put, CLIs should clearly identify the recipient of the call, be dialable, consistent and not confuse or mislead the consumer. In addition, if the customer rings the CLI number back you need to be able to inform the customer who you are and why you were ringing them.

That probably sounds very straightforward and you may we be very confident about your use of CLIs. But that might not always be the case even when you feel you are being reasonable and fair:

Sadly, the answers to these questions aren’t always clear, but you need to work out your approach and justification if you want to avoid damaging legal action and fines. Need a hand? Let us know.

Dr Lisa works in the commercial food safety arena, working as an expert witness for food law and practice and is regularly called upon to comment on public hygiene issues in the media. She also appears on prime-time consumer shows which have included Watchdog, Rogue Restaurants and Holiday Hit Squad in addition to many radio and TV news programmes. She has worked with Food Safety Adviser to UKHospitality and is a Trustee of the Royal Society for Public Health.

We spoke to Dr Lisa about ‘Natasha’s Law’ – a legal response to the tragic consequences of an allergic reaction. The requirement is that all food that is prepacked for direct sale (PPDS) will need to comply with new labelling rules before 1st October 2021. We talked about the new regulations and their impact on the customer service operations for food and hospitality sector businesses.

How will the new regulations change customer service for the businesses involved?

Dr Lisa explained that: “Even before the new law, food businesses needed to have accurate information on allergens so they could pass this onto customers. This needs to be absolutely up to date information about allergens in their company’s products. If the data is inaccurate, the message will be inaccurate and the consequences could be fatal.”

She continued: “Ingredients from suppliers must come from a reliable source which can supply accurate live data about ingredients.”

Where can organisations get access to this live data about what’s in the foods?

Dr Lisa explained: “Thankfully there are businesses working hard to make vital allergen information available to the industry and consumers alike. NT Assure, for example, are a company of food technologists who check data and make it available in a number of formats for food retailers, cafes and restaurants or their end customers. Away from the point of sale, an app called Glass Onion is available which aims to allow people to select places or things to eat based on their specific dietary or allergen needs.”

She continued: “It’s still imperative, though, that the allergic customer should speak to the business about their needs to makes sure the business can prepare food safely for them. This is where having the right information, systems and training available to customer-facing staff is vital.”

Dr Lisa added: “It’s reasonably easy for a business, when asked, to gather the information and pass this onto the customer about the ingredients that their suppliers have declared. However, there still needs to be a further discussion about the risks of cross-contamination during preparation and cooking, for example about whether a fryer is used for foods containing the ingredients to which they are allergic.”

She concluded: “That’s where good customer service support can really help. A common approach to communicating important and updated allergen data can ensure that the right information is given to those customers who need it, reducing the stress and training burden on front-of-house staff.”

What are the new regulations and which businesses are affected?

Dr Lisa stated that: “All food that is prepacked for direct sale (PPDS) will be required by law to have clear labelling showing all the ingredients with the 14 legally declarable allergens shown clearly (usually in bold). This now applies to foods made in-house (previously they were exempt). Many see this as a huge step in the right direction to ensuring allergic guests have detailed information in the same way as if buying a typical food at retail, but there are some potentially unforeseen consequences for many businesses who face the challenges of preparing an accurate label.”

She continued: “All restaurants are required to display signage or information on their menus to encourage allergic customers to talk to them about their needs. To my mind, this dialogue is absolutely critical, regardless of whether the customer is buying a PPDS food with a label on or a restaurant meal.”

Dr Lisa explained: “I believe that once a business knows they have a customer with a need to avoid a food, they can then take actions to prepare food specifically and safely for that customer. In many cases where there are issues or complaints, restaurants report that the customer had not made them aware of their allergy and had chosen from the menu without checking. This is something everyone needs to avoid. I think a proactive approach by the business is often the best, asking guests when they are seated if anyone has any allergies or intolerances they (the kitchen) need to know about. This helps to make the customer more at ease and prompts reluctant guests (often young adults are shy to say about their needs).”

She stated that: “If a business fails to provide food that is not as ordered or requested, then this is a legal contravention and of course could end in tragedy; for so many reasons, businesses need to get this right.”

She added: “Delivered food is exempt from labelling. This carries huge risks, for example, if verbal instructions given by the customer when ordering don’t reach the chef. There have been issues where instructions given via online systems have not been clear or communicated properly to the restaurant and this is an area that is being worked through to make improvements across the board.”

Dr Lisa points out that: “There are still possibilities for confusion, as whilst any food which is packaged prior to order could be PPDS much depends on the detail of how the food is packaged. If it is only loosely packaged, with for example an unclosed box, it may not be PPDS. Some foods in an outlet may be exactly the same but will fall into PPDS and require a label if in a sealed bag, or will not need one if on a cake stand – for instance, you might buy a bagged croissant which must have clear labelling about allergens, but a loose croissant in the same cafe does not need labels, even though it might be sitting next to the almond croissant you’re violently allergic to.”

She concluded by saying that “An area of confusion is how the Food Hygiene Rating Scheme fits into allergen confidence. Currently whilst there is a “confidence in management” element in the scheme, it is not specifically concerned with allergen management. So, a 5 Food Hygiene Rating does not necessarily mean that a restaurant or cafe is allergen safe. It is vital then, that consumers engage with the business to make sure that the food they are buying is safe for them, regardless of the Food Hygiene Rating. Allergy UK is now offering the ‘Allergy Aware’ scheme for hospitality venues but this is much less well known. The FHRS is currently under review by the FSA together with a panel of stakeholders.”

What are the main issues for food and hospitality sector businesses?

Dr Lisa responded: “Many businesses are dealing with the new legislation by trying to design out human error because providing incorrect or incomplete information at the point of sale can have serious consequences in human terms, not just failing to meet the law’s requirements.”

She explained: “For a small business, the burden of the new legislation may mean that many stop selling PPDS foods. In a restaurant or cafe, the onerous labelling requirements (which include listing ingredients by descending order of weight) will apply to them if they serve PPDS foods, but they do not have the technology and resources of a large manufacturer. They can’t write the complicated labels by hand – just look at the back of a retail sandwich and you will see why! Furthermore, working often from a small kitchen where there is naturally more risk of cross-contamination compared with a large manufacturer who has discreet lines for each food.”

Dr Lisa made it clear that: “Whilst there are 14 allergens covered by the UK labelling law, there are actually at least 160 foods that have been reported to cause an allergic reaction for some people.  A simple-looking sandwich can be a very complicated collection of potential allergens (not just the 14), and a typical kitchen cannot be realistically expected to strip down after every order is made up. Anyone claiming food is “allergen free” is deluded in my opinion – it is not possible! I would urge everyone to avoid this term completely, as I would say it is also misleading.”

She added: “Interestingly, UKHospitality found that 40% of reported allergy complaints are made by people who have not made their allergy clear in advance. PPDS law may mean less rather than more dialogue, leading to unforeseen risks.”

Dr Lisa concluded by saying that: “The new regulations place the responsibility firmly with the food business, not the consumer, but this is a partnership. To avoid problems, food businesses need to offer clear signage, labelling and pathways for consumers to ask questions about their food. Centralised customer service teams with timely access to the most up to date information can play a huge part in helping front-of-house staff and chefs to deal with enquiries from concerned customers, but above all, the data whether held locally or centrally needs to be accurate.”

How can food businesses and their customer service teams prepare for the introduction of Natasha’s Law?

Before taking your next steps to get your teams ready, consider the following suggestions from Dr Lisa. Are your leaders and staff ready to address these issues?

If your business works in the food and hospitality sector, or if you’re providing outsourced customer service for food clients, we can help you to get ready for these important new laws. Get in touch with Contact Centre Panel to discuss your next steps

Charles was a panelist on our recent Homeworking webinar and was the ideal person to speak to about the risks facing customer service and contact businesses as they embrace hybrid working models as we ease out of the pandemic.

As we are emerging from the pandemic. What has Covid meant to Health & Safety professionals?

Charles recalls the past year: “Covid was a surprise to most health & safety professionals. The pandemic fell upon us and many people thought that it would be a temporary situation, with working from home as a short-term fix but as the pandemic became a fact of working life, Health & Safety professionals have had to consider some more permanent solutions: can people realistically do their jobs at home? And from the professional standpoint, can they do it safely?”

He continues: “In over a year since the first lockdown, we’ve all become very familiar with the ways that home and hybrid working have been made possible. Most people think of the software solutions like Teams, Zoom and so on, but from a Health & Safety perspective we have to think much more widely.”

Charles concludes: “From a health & safety perspective, working in a home environment is very different to an office.”

So as people have got used to working from home and are now returning to more flexible, hybrid ways of working, what are the big Health & Safety considerations?

Charles explains: “The workplaces we are used to will have had Health & Safety Risk Assessments in place, which recognise hazards and provide ways to mitigate and control the risk. These are generally standardised and can be made available to managers and workers relatively easily and centrally. Workstations in offices, especially contact centre environments, tend to be similar and provide a good level of safety to team members. Allowances can be made for individuals on a case-by-case basis depending on their needs, which can be easily talked about during the working day.”

He states: “It’s completely different when people find themselves relocated to working from home at short notice. We have experienced enormous variations in the suitability of workspaces, equipment and challenges which we had very little time to prepare for or adapt to.”

Charles points out: “Under Health & Safety laws, employers have an obligation to ensure that their staff are kept safe. This applies to wherever the workers are fulfilling their roles.”

He continues: “Bad workplaces can result in serious problems for workers. Lighting, ergonomics and comfort, as well as the immediate physical safety of appliances or tools, are more difficult to control away from the office but are equally important wherever your team members are working and using them.”

How can customer service businesses deal with the new risks?

Charles states: “If you have team members who are spending any time working from home, your obligations as an employer cover both the office and the home workspace, or anywhere your staff regularly work. In practical terms, this means completing a risk assessment for hybrid and homeworkers in their homes. These risk assessments should be used to establish what our workers have in place, versus what they should expect.

He continues: “In short: If your workers’ spaces cannot be made safe, then those workers should not be working from home.”

Charles adds: “There are more detailed requirements too. PAT (Portable Appliance) Testing is a well-known control measure in the workplace. Equipment used elsewhere must be kept safe, one of the more easy-to-understand difficulties with basing people away from any centralised location.”

He concludes: “Businesses can use standardised tests to identify many risks in non-standard workplaces, though. A DSE Workstation Assessment can be completed by employees with minimal easy to understand,  training and support. An electronic assessment sent to the HR department or an independent Health & Safety consultancy can be used to collate a company-wide view of the main risks. This view can be analysed for the organisation as a whole and used to prioritise actions and mitigate risks, as well as demonstrating a commitment to looking after your teams.”

What about individual needs?

Charles starts: “A company’s obligations extend to all employees, not just the workforce as a whole. Where an individual team member has an issue, it’s up to the employer to decide what action should be taken.”

He explains: “Some people find homeworking difficult, so an extra effort should be made to make communication regular and as easy as possible for your teams. One good example of this which we’ve seen clients enjoying during the pandemic is a weekly online social lunch, where teams spend time together, from home, without a business agenda. Events like this can maintain a sense of togetherness during difficult times and might help hybrid workers long into the future.”

Charles says: “Stress is an adverse reaction to pressure. Pressure can improve performance in some people but too much pressure can have a seriously adverse effect on not only results, but the health of your people.”

He continues: “If we think of stress as water, everyone has a different-sized jug for their ability to deal with the flow of it. Employers bear a responsibility to alleviate and manage the pressure, to reduce or control the flow of that water. It’s important to be aware that pressure not only flows from work, but from everywhere else in an individual’s life too.”

Charles states: “Hybrid working is a good example of the flexibility now available to employers. Remember that the same flexibility can be used to offer employees a less stressful way of working, something that suits their own life and challenges more effectively.”

 He explains: “With less organic interaction between your teams, try to encourage more mentorship and informal training to allow your employees to develop their skills as well as their social interactions. Support knowledge-sharing, wherever possible, to replace those conversations which many of us used to have in the office every day. Mentoring can be a vastly underrated and highly effective method of informal training for the whole business.”

 Charles concludes: “It costs around £10,000 on average to replace an employee, so businesses should be aiming to retain their team members, not least for simple economic reasons.”

With many offices now opening, what should businesses be thinking about in terms of Health & Safety?

Charles states: “If there’s one thing to take away, it’s that a person’s workplace is everywhere they work. That means that employers have a duty of care to take account of working conditions in more than just the office. If you can’t do that for everyone, then you might have to enable some of your team members to come back permanently to the office.”

 He concludes: “Outside the legal point of view, forward-thinking employers will also be communicating with their team members much more frequently than they used to. There are more factors at play now than ever before, with the lines blurring between home and working lives, so as employers we need to be more mindful of the health of our teams. We can help to keep the business healthy by working hard to keep our people healthy too.”

If you’d like to discuss how your organisation can be more effective in implementing hybrid working successfully, our expert team can help, this includes providing guidance on how to work with your employees to maximise their health, happiness, and productivity.

Our ‘coffee table discussion’ panel explored the possibilities…

The rapid drive towards homeworking throughout 2020 has forced many contact centres to enable agents working from home, but some operations have felt forced into cutting corners, especially in relation to payment security, data compliance and working standards.

Contact Centre Panel’s series of webinars was launched to discuss these issues and to offer practical solutions for contact centres to provide an excellent level of service whilst safeguarding clients, callers and agents as well as their own business.

On 17 February 2021, Contact Centre Panel hosted a webinar focused on contact centre homeworking, asking our panel of experts the question ‘how can businesses create a genuinely safe, secure and flexible working environment for their teams so they can flourish and achieve wherever they work?’.  John Greenwood, Head of Technology & Payments, Contact Centre Panel, hosted the webinar and was joined by:

Simon Turner, PCI DSS Advisory Cloud Services & Contact Centres (QSA), BT Plc, providing input from a security and payments compliance prospective

Steve Sullivan, Head of Regulatory Compliance, Contact Centre Panel, a contact centre operations and Data Protection specialist and vice-chair of the UK Data & Marketing Association’s Contact Centre Council

Brent Agar, Director, SentryBay, an endpoint security expert with over 20 years’ experience

Felix Clarke, Cloudbased Partners, an experienced risk assessment specialist

What’s the situation in early 2021?

In our audience survey:

Along with the growth of home working, there has been a rise in telephone related fraud. Feedback from the Payment Card Schemes points to an overall increase in the MOTO (Mail Order Telephone Order) payments acceptance channel of up to 400% since March 2020. A clear indication that the criminal community is taking advantage of the changes that home working is forcing upon us.

Minimising these risks is not only good business, when it comes to keeping data secure, it’s a legal obligation covered by the Data Protection Act 2018 and the Health and Safety at Work Act 1974.

Looking at the big picture, Steve Sullivan began by highlighting that homeworking has brought some big positives to the sector:

Based on recent research most businesses have seen overall increased performance metrics including CSAT customer satisfaction results, plus performance and productivity improvements up the end of 2020.

Talking about the most important technical implications of the forced move to working from home, Brent Agar and Simon Turner outlined the challenges presented by the move from a physical security world, where offices and contact centres were built and managed to be secure places for people and data to be put to work, to a remote working situation where endpoint security has become the focus for compliance and protection.

What’s the risk exposure of teams moving into the home environment?

Felix Clarke described the situation now “We’re in this blitz spirit situation where people have been prepared to put up with it and wait and see… The Government has said that they will bring out new health & safety rules but they’re not ready yet… and the unions and lawyers who know they can’t get involved yet but are waiting.” However, this spirit of all being in this situation together cannot last forever. For now, employees working from home and their employers are finding ways to get the job done, but the honeymoon period is bound to end and organisations who are cutting corners will start to be exposed. This will have knock-on effects not only for team members but for end consumers, brands and contact centre business owners alike.

Were payments are concerned, there are risks associated with employees using their own computers or where company-owned computers are not fully protected. Traditional anti-virus software may not protect your business from some technical weaknesses. Options include buying and maintaining expensive computers for your full team or installing additional software to protect your business from attacks.

It’s critical to remember that your people are in scope too when it comes to compliance with standards. Technology is important of course, but your agents, whether internal or outsourced, are a critical part of the process. Iteratively developing our processes to take account of the behaviour of agents working away from the usual office environment is crucial.

What technological solutions are out there?

The risks inherent with homeworking can be partially mitigated by good endpoint security systems. The PCI Standards Council says that ‘by limiting exposure of payment data and your systems, you simplify scope and validation, reducing the chance of being a target for criminals.’

The reality is that in any situation where an agent is taking personal or payment data over the phone, there is a risk that data can be recorded manually or digitally, either in good faith or more worryingly criminally, using techniques such as keylogging or screen capture systems which can be installed without the user’s knowledge through spyware or similar attacks.

Brent introduced a piece of software by SentryBay which scrambles the information taken by keyloggers and disables screen capture. So regardless of whether the agent is acting dishonestly or has been the unwitting victim of a spyware attack, the software prevents sensitive data being captured and passed on. With millions of installations worldwide, this tried and tested solution is used by some of the largest banks and insurance companies to help them minimise their risks.

Software like this is not restricted to large financial institutions, however with most businesses who use contact centres processing personal data and payment data in some form, there is arguably a greater risk to smaller businesses. Implementing solutions such as technical endpoint protection is scalable and suitable for all sizes of business. It’s important to remember that the liability for compliance rests with the merchant, even if they use outsourced resources to process data or payments.

Have industry bodies changed their approach?

In the UK, the ICO (Information Commissioners Office) has published a lot of advice on working from home but has said little about the security of payment card data, pointing only to the Payment Card Industry Security Standards Council (PCI SSC), the body responsible for the security standards supporting the card payments ecosystem, where guidance on homeworking has been published and promoted.

The Data and Marketing Association (DMA) has not fundamentally changed its guidance for distributed workforces at this stage but encourages a systemic approach to data security and data protection. Being aware of your duty of care to front line staff to minimise their exposure is important.

Regulators will not maintain their recent light touch indefinitely and some large brands will doubtless fall foul of decisions they have made which do not mitigate risks sufficiently. By building systems that protect your staff from sensitive data, they will have to worry less about the lure of fraudulent activity and can focus more on the positive aspects of their jobs.

What about the claims industry?

As an employer, if you put your teams into a situation where they are at risk, the claims industry is likely to be preparing to catch up with you soon. Felix Clarke: “We’ve already seen articles with titles like ’17 ways you can hurt yourself working from home’ so if you inadvertently put employees into a situation where they could be hurt or discriminated against while working from home…claims will probably follow before too long.”

How can we help our teams to safely provide an excellent service to our customers?

To summarise the findings of our panel, there are a few key considerations that will help enormously to protect customers, agents and businesses:

To summarise the discussion perfectly, Steve Sullivan said “There are a lot of angry frustrated customers out there… so anything we can do to make our agents lives easier and let them focus on what they’re best at is for everybody’s benefit.”

You can hear all the insights given by our expert panel in full by watching the webinar:

Our next webinar is focused on ‘homeworking health & safety considerations and legal risks’, if you’d like to attend click here.

If you’re unsure how to assess your businesses risk exposure and how to equip it to handle any new risks posed by changeable working conditions, we can help by advising you on the risks you need to consider and the best way to mitigate them. We can also help you to learn how to work with your employees to maximise their health, happiness, and productivity. Get in touch.