On the 31 March 2022, the Payment Card Industry Security Standards Council officially announced the publication of v4.0 of the PCI DSS. In this article, we look at the declared goals of v4.0 and the key changes from the current version of the standard.

Three points to make upfront. Firstly, the PCI SSC has made this a big document. At 356 pages there are an additional 217 pages of guidance including the PCI SSC glossary, which makes the document much easier to use. Secondly, it has taken time for the document to be globally released, since first being announced in late 2017. Yes, Covid has been a factor, but so has the SSC’s objective to make this document inclusive. By reaching out to the secure payments community not once, but three times, receiving over six thousand items of feedback from 200 plus organisations the document adds flexibility whilst focusing entities on what is required to keep card data secure. Finally, the current version of the DSS, v3.2.1 will not be retired until March 31 2024, so there is a long transition period.

Goal 1 – Ensure the standard continues to meet the security needs of the payment industry

Released at the same time as v4.0 is a Summary of Changes document. This lists 64 new requirements, 11 of which just apply to third-party service providers. Whilst the secure payments community will always be playing catch up, the DSS certainly makes the effort to align to the current threat landscape, even though 51 of the new Requirements are not ‘effective’ until 31 March 2025.

Goal 2 – Add flexibility and support for additional methodologies to achieve security

As well as continuing with the ‘Defined’ approach with ‘Compensating Controls’, v4.0 introduces the ‘Customised’ approach. This is a new method to implement and validate PCI DSS requirements where entities demonstrate that they meet the intent of the DSS and can ‘adopt’ their own testing procedures, signed off by their (Qualified Security Assessor) QSA and acquirer.

Goal 3 – Promote security as a continuous process

In v4.0 this has been made a priority to dispel the notion that PCI DSS compliance is a once-a-year tick box exercise, much like an MOT. Whilst ‘roles & responsibilities’ has only two mentions in the current version, each of the 12 core requirements now have headline text that states “Roles and responsibilities for performing activities in requirement x are documented, assigned and understood.”

Goal 4 – Enhance validation methods and procedures

Whilst much of this goal is achieved by the introduction of the ‘Customised’ approach, we can see through the new supporting documentation for external auditors (QSA’s) increased alignment between information reported in a Report on Compliance and information summarised in an Attestation of Compliance. We expect to see more when the new Self Assessments are released in Q2.

So, in summary, a really helpful document that we have time to consider. Certainly the ‘Customised’ approach should prompt ongoing conversations, especially around the additional time, costs and effort involved for all stakeholders in agreeing to testing procedures, especially when it comes to sign off and liability in the event of a future data compromise. Food for thought!

The Information Commissioner’s Office (ICO) ‘never said’ that charities were exempt from all or most of the data privacy and protection rules that govern sales and marketing, however many people in the charity sector thought they had an exemption. Plus there were never any enforcement cases or fines of charities, so there was no evidence that the ICO did care about charities’ rule-breaking. 

Then, from 2015 and 2016, in the wake of the death of Bristol poppy seller, Olive Cook, charities’ fundraising techniques came under a lot of scrutiny and criticism. Inevitably, the ICO became involved and its investigations culminated in fining the following big-name charities in 2017 – see more. 

The International Fund for Animal Welfare, Cancer Support UK, Cancer Research UK, Guide Dogs for the Blind, Macmillan, the British Legion, NSPCC, Great Ormond Street, WWF, Battersea Dogs & Cats Home and Oxfam. 

This was a ‘shot across the bows’ of the whole charity sector, specifically highlighting the charities’ undeclared, hidden sharing of supporters’ data and income profiling (wealth screening). The total amount of the fines levied – £138,000 – wasn’t that great, but the reputational damage of what should be some of the most trusted organisations in the country was considerable. And the knock-on impact on charities’ fundraising business models contributed to millions of lost revenue for their causes.  

Incidentally, the ICO’s focus on charities’ marketing practises has diminished, but it’s not gone away as evidenced by this recent fine of a charity sending SMS appeals without consent. 

So what? 

That was and is a very challenging experience for charities, but most of us don’t work in the third sector. So, why the brief history lesson? Because commercial B2B sales and marketing may be about to go through a similar experience.

B2B’s wake up call 

Again, the ICO has ‘definitely’ never said that B2B sales and marketing isn’t covered by the data protection rules, though some aspects of the regulations are less stringent for business communications. However, a lot of B2B players certainly act like they’re excluded from the compliance considerations of their informed and professional B2C peers.  

Why? Well, partly because the ICO never fines organisations for B2B marketing failings. Or at least not until now. 

We all aspire to do the best for our prospects and customers, treat them with respect and in accordance with the law. But, inevitably, when these questions seem to be rather nuanced and not simply black and white, rational organisations will apply a risk assessment to guide their degree and prioritisation of compliance with regulations. So, if you operate B2B and the regulator seems to ignore your sector and business area then it’s reasonable to think that the level of regulatory risk you are exposed to is a lot less than in B2C.

All change 

A fine imposed by the ICO in late December suggests that things have changed. This case, described here, not only created considerable disruption to the operations of Northern Gas & Power, a business energy brokerage company based in Gateshead, it’s resulted in negative publicity, reputational damage and a £75,000 fine.

Northern Gas & Power largely sells its brokerage service to businesses through outbound calling to businesses from its two contact centres in Gateshead and Leeds. Northern operates – or operated – at scale, with over 4 million calls attempts made in the year from May. However, irrespective of volume there are a couple of clear lessons we can all draw from Northern Gas & Power’s experience.

  1. Northern failed to screen its calling data against the Telephone Preference Service (TPS) or the TPS’s little-known business number equivalent to the Corporate Telephone Preference Service (CTPS). As you will probably know, the TPS is the national ‘opt out’ register which needs to be referenced before undertaking any ‘cold’ or unconsented sales and marketing calling. Most B2C organisations are very aware of the TPS, B2B firms often less so – and the CTPS is largely forgotten by nearly everybody.

That will need to change.

  1. When the GDPR arrived here (as the 2018 Data Protection Act in the UK) there was a lot of talk about the fuzzy lines between individuals and companies. You can email hello@contactcentrepanel.com and that’s a business address, but sullivan@contactcentrepanel.com is my personal data. Similarly, the Contact Centre Panel office number 0114 2096120 isn’t anyone’s personal data (though it could be registered with the CTPS and thus off-limits), but my mobile number is. And for many companies, personal email and mobile will be the only way of making contact.

All these aspects need to be thought through, understood and managed.

  1. Northern purchased prospect data, but did not undertake appropriate due diligence of its suppliers to ensure they were compliant and reputable. It failed to ensure robust, defensible contracts were in place with its suppliers and didn’t test or audit the data supplied.

Buying third party data is now one of the most potentially fraught and risky activities an organisation can undertake and needs to be handled with deliberation and care. 

  1. As the ICO’s enforcement notice makes clear, Northern’s operational management, internal controls and processes were poor. Added to which its contact management systems – and Northern’s team’s ability to manage them – was very deficient, directly leading to poor data management and ensuring suppression requests were actioned.

Northern Gas & Power has experienced considerable growth and apparent success, but without sound operational, data and technology underpinnings, continued success is increasingly difficult to sustain 

Whether you exclusively market to businesses or do so in combination with targeting consumers, the ICO’s latest move strongly suggests that B2B has lost any real or imagined status as a data protection compliance exception.

Contact Centre Panel boasts many years of collective experience in B2C and B2B customer targeting, acquisition and service, supplemented by a deep but pragmatic understanding of how to design and operate business models compliantly. Contact Centre Panel can offer clients

Lesson 3 – Who’s calling?

About a quarter of all ICO fines – and half of the phone-based enforcement cases – involve the incorrect use of Caller Line Identification (CLI) numbers. As you probably know, there are the numbers presented on the customer’s phone when you call them.

Again, it’s Ofcom that sets the rules and regulations about the use of CLIs, but it’s the ICO who are pushing fines and enforcement. Misusing CLIs is a red flag to the regulator.

Simply put, CLIs should clearly identify the recipient of the call, be dialable, consistent and not confuse or mislead the consumer. In addition, if the customer rings the CLI number back you need to be able to inform the customer who you are and why you were ringing them.

That probably sounds very straightforward and you may be very confident about your use of CLIs. But that might not always be the case even when you feel you are being reasonable and fair:

Sadly, the answers to these questions aren’t always clear, but you need to work out your approach and justification if you want to avoid damaging legal action and fines. Need a hand? Let us know.

Even though none of these fines (which you can read about here) have had quite the amount of publicity you might think they deserve, they have all resulted in a degree of reputational damage, disruption to business plans and a chunk of unbudgeted costs. What do Boris Johnson, Len McCluskey, Philip Schofield and Mike Ashley all have in common? The thing that links this peculiar group is that their organisations, parties, or companies have all been fined by the Information Commissioner’s Office (ICO) over the past few months for illegal marketing activities. Even though none of these fines (which you can read about here) have had quite the amount of publicity you might think they deserve, they have all resulted in a degree of reputational damage, disruption to business plans and a chunk of unbudgeted costs.
Boris, Len, Philip and Mike are unlikely to form any one person’s ‘top 4 favourite people’ list, but each has their fans and supporters who might be surprised to see them involved in breaking the law in terms of how they market to consumers. Contact centres are squarely in the ICO’s line of fire and you should focus on making very sure that your brand or operation doesn’t find itself in the same position as Boris, Len, Philip and Mike.

We’ve been carrying out some analysis to help you do just that. Helpfully, in 2021 (to date) the ICO has imposed twice as many fines than it did in the whole of last year; part of a steady increase in the ICO’s enforcement action. (Incidentally, hardly any of these fines are imposed under the 2018 Data Protection Act – which is how the government turned the GDPR into UK Law – but are infringements of the far older and less well-known PECR rules. However, that’s another story)

Lesson 1 – Voice still rules (when it comes to breaking the rules)

[/vc_column_text][vc_column_text]We live in a multi-channel world, but when it comes to rule-breaking the phone is still the leading communication channel. Very few contact centres have phone calls as at least part of their channel mix, but those which make outbound calls need to be especially conscious of the rules.[/vc_column_text][image_with_animation image_url=”17959″ alignment=”center” animation=”Fade In” border_radius=”none” box_shadow=”none” max_width=”100%” margin_top=”25″ margin_bottom=”50″][vc_column_text]The rules include those governed by Ofcom which contain, but aren’t limited to, the use of predictive diallers. An area that we will be covering in a future article.

However, most enforcement is carried out by the ICO and invariably when companies are fined for their live calling its because they haven’t screened outbound calling lists against the Telephone Preference Service (TPS) register.

Well, that’s obvious.” You might say “People have been doing for that for over 20 years. Only crooks and scammers wouldn’t TPS screen!”. That’s partly true, but it’s not just the scammers who have been fined.

Sometimes, firms think they have a prior relationship or permission that means they don’t need to screen against the TPS. In some cases, having an existing relationship does trump the need to TPS screen, but not always and the criteria aren’t always black and white.

Need some help navigating the ‘TPS or not?’ question? Give us a call

In other cases, firms have been reassured that the external calling data they have been provided has already been TPS screened by the data provider, when in fact it hasn’t. The ICO has repeatedly made clear that it expects brands and data purchasers to undertake the checks and due diligence needed to ensure that data is compliant and legal. “Don’t expect; inspect!”

Contact Centre Panel can help with this unenviable challenge, too. See Lesson 2, below[/vc_column_text][vc_column_text css=”.vc_custom_1637692624887{padding-top: 25px !important;padding-bottom: 25px !important;}”]

Lesson 2 – 3rd Party Data? A first party problem

[/vc_column_text][vc_column_text]The incorrect or inappropriate use of third-party data – which is typically bought or rented to allow firms to access new potential customers – is a very common feature of the ICO’s enforcement cases, specifically mentioned in nearly half of them.

The whole area of the law and regulations around the identification and management of consumers’ personal data is complex and potentially fraught – especially when the data is provided by a third party.

As previously mentioned, as far as the ICO is concerned the compliance onus is on the data purchaser. Users of third-party data must undertake thorough due diligence of data providers to ensure they have a sound legal basis to use the data for marketing purposes, as well as having robust, enforceable contracts in place. This cannot be a ‘one and done’ or tick box exercise and should start with a thorough audit of the legal and compliance standing of the data provider.

Fortunately, Contact Centre Panel can help. We have undertaken a lengthy and detailed rolling audit of the legal and compliance status of over 50 data providers. As a result, Contact Centre Panel has identified a small group of providers – which offer data for use in a variety of channels – who we feel are well-placed to potentially offer legal and compliant assistance to contact centres and brands.[/vc_column_text][image_with_animation image_url=”17963″ alignment=”center” animation=”Fade In” border_radius=”none” box_shadow=”none” max_width=”100%” margin_top=”25″][vc_column_text css=”.vc_custom_1637692877224{padding-top: 25px !important;padding-bottom: 25px !important;}”]

Lesson 3 – Who’s calling?

[/vc_column_text][vc_column_text]About a quarter of all ICO fines – and half of the phone-based enforcement cases – involve the incorrect use of Caller Line Identification (CLI) numbers. As you probably know, there are the numbers presented on the customer’s phone when you call them.

Again, it’s Ofcom that sets the rules and regulations about the use of CLIs, but it’s the ICO who are pushing fines and enforcement. Misusing CLIs is a red flag to the regulator.

Simply put, CLIs should clearly identify the recipient of the call, be dialable, consistent and not confuse or mislead the consumer. In addition, if the customer rings the CLI number back you need to be able to inform the customer who you are and why you were ringing them.

That probably sounds very straightforward and you may we be very confident about your use of CLIs. But that might not always be the case even when you feel you are being reasonable and fair:

Sadly, the answers to these questions aren’t always clear, but you need to work out your approach and justification if you want to avoid damaging legal action and fines. Need a hand? Let us know.

Dr Lisa works in the commercial food safety arena, working as an expert witness for food law and practice and is regularly called upon to comment on public hygiene issues in the media. She also appears on prime-time consumer shows which have included Watchdog, Rogue Restaurants and Holiday Hit Squad in addition to many radio and TV news programmes. She has worked with Food Safety Adviser to UKHospitality and is a Trustee of the Royal Society for Public Health.

We spoke to Dr Lisa about ‘Natasha’s Law’ – a legal response to the tragic consequences of an allergic reaction. The requirement is that all food that is prepacked for direct sale (PPDS) will need to comply with new labelling rules before 1st October 2021. We talked about the new regulations and their impact on the customer service operations for food and hospitality sector businesses.

How will the new regulations change customer service for the businesses involved?

Dr Lisa explained that: “Even before the new law, food businesses needed to have accurate information on allergens so they could pass this onto customers. This needs to be absolutely up to date information about allergens in their company’s products. If the data is inaccurate, the message will be inaccurate and the consequences could be fatal.”

She continued: “Ingredients from suppliers must come from a reliable source which can supply accurate live data about ingredients.”

Where can organisations get access to this live data about what’s in the foods?

Dr Lisa explained: “Thankfully there are businesses working hard to make vital allergen information available to the industry and consumers alike. NT Assure, for example, are a company of food technologists who check data and make it available in a number of formats for food retailers, cafes and restaurants or their end customers. Away from the point of sale, an app called Glass Onion is available which aims to allow people to select places or things to eat based on their specific dietary or allergen needs.”

She continued: “It’s still imperative, though, that the allergic customer should speak to the business about their needs to makes sure the business can prepare food safely for them. This is where having the right information, systems and training available to customer-facing staff is vital.”

Dr Lisa added: “It’s reasonably easy for a business, when asked, to gather the information and pass this onto the customer about the ingredients that their suppliers have declared. However, there still needs to be a further discussion about the risks of cross-contamination during preparation and cooking, for example about whether a fryer is used for foods containing the ingredients to which they are allergic.”

She concluded: “That’s where good customer service support can really help. A common approach to communicating important and updated allergen data can ensure that the right information is given to those customers who need it, reducing the stress and training burden on front-of-house staff.”

What are the new regulations and which businesses are affected?

Dr Lisa stated that: “All food that is prepacked for direct sale (PPDS) will be required by law to have clear labelling showing all the ingredients with the 14 legally declarable allergens shown clearly (usually in bold). This now applies to foods made in-house (previously they were exempt). Many see this as a huge step in the right direction to ensuring allergic guests have detailed information in the same way as if buying a typical food at retail, but there are some potentially unforeseen consequences for many businesses who face the challenges of preparing an accurate label.”

She continued: “All restaurants are required to display signage or information on their menus to encourage allergic customers to talk to them about their needs. To my mind, this dialogue is absolutely critical, regardless of whether the customer is buying a PPDS food with a label on or a restaurant meal.”

Dr Lisa explained: “I believe that once a business knows they have a customer with a need to avoid a food, they can then take actions to prepare food specifically and safely for that customer. In many cases where there are issues or complaints, restaurants report that the customer had not made them aware of their allergy and had chosen from the menu without checking. This is something everyone needs to avoid. I think a proactive approach by the business is often the best, asking guests when they are seated if anyone has any allergies or intolerances they (the kitchen) need to know about. This helps to make the customer more at ease and prompts reluctant guests (often young adults are shy to say about their needs).”

She stated that: “If a business fails to provide food that is not as ordered or requested, then this is a legal contravention and of course could end in tragedy; for so many reasons, businesses need to get this right.”

She added: “Delivered food is exempt from labelling. This carries huge risks, for example, if verbal instructions given by the customer when ordering don’t reach the chef. There have been issues where instructions given via online systems have not been clear or communicated properly to the restaurant and this is an area that is being worked through to make improvements across the board.”

Dr Lisa points out that: “There are still possibilities for confusion, as whilst any food which is packaged prior to order could be PPDS much depends on the detail of how the food is packaged. If it is only loosely packaged, with for example an unclosed box, it may not be PPDS. Some foods in an outlet may be exactly the same but will fall into PPDS and require a label if in a sealed bag, or will not need one if on a cake stand – for instance, you might buy a bagged croissant which must have clear labelling about allergens, but a loose croissant in the same cafe does not need labels, even though it might be sitting next to the almond croissant you’re violently allergic to.”

She concluded by saying that “An area of confusion is how the Food Hygiene Rating Scheme fits into allergen confidence. Currently whilst there is a “confidence in management” element in the scheme, it is not specifically concerned with allergen management. So, a 5 Food Hygiene Rating does not necessarily mean that a restaurant or cafe is allergen safe. It is vital then, that consumers engage with the business to make sure that the food they are buying is safe for them, regardless of the Food Hygiene Rating. Allergy UK is now offering the ‘Allergy Aware’ scheme for hospitality venues but this is much less well known. The FHRS is currently under review by the FSA together with a panel of stakeholders.”

What are the main issues for food and hospitality sector businesses?

Dr Lisa responded: “Many businesses are dealing with the new legislation by trying to design out human error because providing incorrect or incomplete information at the point of sale can have serious consequences in human terms, not just failing to meet the law’s requirements.”

She explained: “For a small business, the burden of the new legislation may mean that many stop selling PPDS foods. In a restaurant or cafe, the onerous labelling requirements (which include listing ingredients by descending order of weight) will apply to them if they serve PPDS foods, but they do not have the technology and resources of a large manufacturer. They can’t write the complicated labels by hand – just look at the back of a retail sandwich and you will see why! Furthermore, working often from a small kitchen where there is naturally more risk of cross-contamination compared with a large manufacturer who has discreet lines for each food.”

Dr Lisa made it clear that: “Whilst there are 14 allergens covered by the UK labelling law, there are actually at least 160 foods that have been reported to cause an allergic reaction for some people.  A simple-looking sandwich can be a very complicated collection of potential allergens (not just the 14), and a typical kitchen cannot be realistically expected to strip down after every order is made up. Anyone claiming food is “allergen free” is deluded in my opinion – it is not possible! I would urge everyone to avoid this term completely, as I would say it is also misleading.”

She added: “Interestingly, UKHospitality found that 40% of reported allergy complaints are made by people who have not made their allergy clear in advance. PPDS law may mean less rather than more dialogue, leading to unforeseen risks.”

Dr Lisa concluded by saying that: “The new regulations place the responsibility firmly with the food business, not the consumer, but this is a partnership. To avoid problems, food businesses need to offer clear signage, labelling and pathways for consumers to ask questions about their food. Centralised customer service teams with timely access to the most up to date information can play a huge part in helping front-of-house staff and chefs to deal with enquiries from concerned customers, but above all, the data whether held locally or centrally needs to be accurate.”

How can food businesses and their customer service teams prepare for the introduction of Natasha’s Law?

Before taking your next steps to get your teams ready, consider the following suggestions from Dr Lisa. Are your leaders and staff ready to address these issues?

If your business works in the food and hospitality sector, or if you’re providing outsourced customer service for food clients, we can help you to get ready for these important new laws. Get in touch with Contact Centre Panel to discuss your next steps

Charles was a panelist on our recent Homeworking webinar and was the ideal person to speak to about the risks facing customer service and contact businesses as they embrace hybrid working models as we ease out of the pandemic.

As we are emerging from the pandemic. What has Covid meant to Health & Safety professionals?

Charles recalls the past year: “Covid was a surprise to most health & safety professionals. The pandemic fell upon us and many people thought that it would be a temporary situation, with working from home as a short-term fix but as the pandemic became a fact of working life, Health & Safety professionals have had to consider some more permanent solutions: can people realistically do their jobs at home? And from the professional standpoint, can they do it safely?”

He continues: “In over a year since the first lockdown, we’ve all become very familiar with the ways that home and hybrid working have been made possible. Most people think of the software solutions like Teams, Zoom and so on, but from a Health & Safety perspective we have to think much more widely.”

Charles concludes: “From a health & safety perspective, working in a home environment is very different to an office.”

So as people have got used to working from home and are now returning to more flexible, hybrid ways of working, what are the big Health & Safety considerations?

Charles explains: “The workplaces we are used to will have had Health & Safety Risk Assessments in place, which recognise hazards and provide ways to mitigate and control the risk. These are generally standardised and can be made available to managers and workers relatively easily and centrally. Workstations in offices, especially contact centre environments, tend to be similar and provide a good level of safety to team members. Allowances can be made for individuals on a case-by-case basis depending on their needs, which can be easily talked about during the working day.”

He states: “It’s completely different when people find themselves relocated to working from home at short notice. We have experienced enormous variations in the suitability of workspaces, equipment and challenges which we had very little time to prepare for or adapt to.”

Charles points out: “Under Health & Safety laws, employers have an obligation to ensure that their staff are kept safe. This applies to wherever the workers are fulfilling their roles.”

He continues: “Bad workplaces can result in serious problems for workers. Lighting, ergonomics and comfort, as well as the immediate physical safety of appliances or tools, are more difficult to control away from the office but are equally important wherever your team members are working and using them.”

How can customer service businesses deal with the new risks?

Charles states: “If you have team members who are spending any time working from home, your obligations as an employer cover both the office and the home workspace, or anywhere your staff regularly work. In practical terms, this means completing a risk assessment for hybrid and homeworkers in their homes. These risk assessments should be used to establish what our workers have in place, versus what they should expect.

He continues: “In short: If your workers’ spaces cannot be made safe, then those workers should not be working from home.”

Charles adds: “There are more detailed requirements too. PAT (Portable Appliance) Testing is a well-known control measure in the workplace. Equipment used elsewhere must be kept safe, one of the more easy-to-understand difficulties with basing people away from any centralised location.”

He concludes: “Businesses can use standardised tests to identify many risks in non-standard workplaces, though. A DSE Workstation Assessment can be completed by employees with minimal easy to understand,  training and support. An electronic assessment sent to the HR department or an independent Health & Safety consultancy can be used to collate a company-wide view of the main risks. This view can be analysed for the organisation as a whole and used to prioritise actions and mitigate risks, as well as demonstrating a commitment to looking after your teams.”

What about individual needs?

Charles starts: “A company’s obligations extend to all employees, not just the workforce as a whole. Where an individual team member has an issue, it’s up to the employer to decide what action should be taken.”

He explains: “Some people find homeworking difficult, so an extra effort should be made to make communication regular and as easy as possible for your teams. One good example of this which we’ve seen clients enjoying during the pandemic is a weekly online social lunch, where teams spend time together, from home, without a business agenda. Events like this can maintain a sense of togetherness during difficult times and might help hybrid workers long into the future.”

Charles says: “Stress is an adverse reaction to pressure. Pressure can improve performance in some people but too much pressure can have a seriously adverse effect on not only results, but the health of your people.”

He continues: “If we think of stress as water, everyone has a different-sized jug for their ability to deal with the flow of it. Employers bear a responsibility to alleviate and manage the pressure, to reduce or control the flow of that water. It’s important to be aware that pressure not only flows from work, but from everywhere else in an individual’s life too.”

Charles states: “Hybrid working is a good example of the flexibility now available to employers. Remember that the same flexibility can be used to offer employees a less stressful way of working, something that suits their own life and challenges more effectively.”

 He explains: “With less organic interaction between your teams, try to encourage more mentorship and informal training to allow your employees to develop their skills as well as their social interactions. Support knowledge-sharing, wherever possible, to replace those conversations which many of us used to have in the office every day. Mentoring can be a vastly underrated and highly effective method of informal training for the whole business.”

 Charles concludes: “It costs around £10,000 on average to replace an employee, so businesses should be aiming to retain their team members, not least for simple economic reasons.”

With many offices now opening, what should businesses be thinking about in terms of Health & Safety?

Charles states: “If there’s one thing to take away, it’s that a person’s workplace is everywhere they work. That means that employers have a duty of care to take account of working conditions in more than just the office. If you can’t do that for everyone, then you might have to enable some of your team members to come back permanently to the office.”

 He concludes: “Outside the legal point of view, forward-thinking employers will also be communicating with their team members much more frequently than they used to. There are more factors at play now than ever before, with the lines blurring between home and working lives, so as employers we need to be more mindful of the health of our teams. We can help to keep the business healthy by working hard to keep our people healthy too.”

If you’d like to discuss how your organisation can be more effective in implementing hybrid working successfully, our expert team can help, this includes providing guidance on how to work with your employees to maximise their health, happiness, and productivity.

Our ‘coffee table discussion’ panel explored the possibilities…

The rapid drive towards homeworking throughout 2020 has forced many contact centres to enable agents working from home, but some operations have felt forced into cutting corners, especially in relation to payment security, data compliance and working standards.

Contact Centre Panel’s series of webinars was launched to discuss these issues and to offer practical solutions for contact centres to provide an excellent level of service whilst safeguarding clients, callers and agents as well as their own business.

On 17 February 2021, Contact Centre Panel hosted a webinar focused on contact centre homeworking, asking our panel of experts the question ‘how can businesses create a genuinely safe, secure and flexible working environment for their teams so they can flourish and achieve wherever they work?’.  John Greenwood, Head of Technology & Payments, Contact Centre Panel, hosted the webinar and was joined by:

Simon Turner, PCI DSS Advisory Cloud Services & Contact Centres (QSA), BT Plc, providing input from a security and payments compliance prospective

Steve Sullivan, Head of Regulatory Compliance, Contact Centre Panel, a contact centre operations and Data Protection specialist and vice-chair of the UK Data & Marketing Association’s Contact Centre Council

Brent Agar, Director, SentryBay, an endpoint security expert with over 20 years’ experience

Felix Clarke, Cloudbased Partners, an experienced risk assessment specialist

What’s the situation in early 2021?

In our audience survey:

Along with the growth of home working, there has been a rise in telephone related fraud. Feedback from the Payment Card Schemes points to an overall increase in the MOTO (Mail Order Telephone Order) payments acceptance channel of up to 400% since March 2020. A clear indication that the criminal community is taking advantage of the changes that home working is forcing upon us.

Minimising these risks is not only good business, when it comes to keeping data secure, it’s a legal obligation covered by the Data Protection Act 2018 and the Health and Safety at Work Act 1974.

Looking at the big picture, Steve Sullivan began by highlighting that homeworking has brought some big positives to the sector:

Based on recent research most businesses have seen overall increased performance metrics including CSAT customer satisfaction results, plus performance and productivity improvements up the end of 2020.

Talking about the most important technical implications of the forced move to working from home, Brent Agar and Simon Turner outlined the challenges presented by the move from a physical security world, where offices and contact centres were built and managed to be secure places for people and data to be put to work, to a remote working situation where endpoint security has become the focus for compliance and protection.

What’s the risk exposure of teams moving into the home environment?

Felix Clarke described the situation now “We’re in this blitz spirit situation where people have been prepared to put up with it and wait and see… The Government has said that they will bring out new health & safety rules but they’re not ready yet… and the unions and lawyers who know they can’t get involved yet but are waiting.” However, this spirit of all being in this situation together cannot last forever. For now, employees working from home and their employers are finding ways to get the job done, but the honeymoon period is bound to end and organisations who are cutting corners will start to be exposed. This will have knock-on effects not only for team members but for end consumers, brands and contact centre business owners alike.

Were payments are concerned, there are risks associated with employees using their own computers or where company-owned computers are not fully protected. Traditional anti-virus software may not protect your business from some technical weaknesses. Options include buying and maintaining expensive computers for your full team or installing additional software to protect your business from attacks.

It’s critical to remember that your people are in scope too when it comes to compliance with standards. Technology is important of course, but your agents, whether internal or outsourced, are a critical part of the process. Iteratively developing our processes to take account of the behaviour of agents working away from the usual office environment is crucial.

What technological solutions are out there?

The risks inherent with homeworking can be partially mitigated by good endpoint security systems. The PCI Standards Council says that ‘by limiting exposure of payment data and your systems, you simplify scope and validation, reducing the chance of being a target for criminals.’

The reality is that in any situation where an agent is taking personal or payment data over the phone, there is a risk that data can be recorded manually or digitally, either in good faith or more worryingly criminally, using techniques such as keylogging or screen capture systems which can be installed without the user’s knowledge through spyware or similar attacks.

Brent introduced a piece of software by SentryBay which scrambles the information taken by keyloggers and disables screen capture. So regardless of whether the agent is acting dishonestly or has been the unwitting victim of a spyware attack, the software prevents sensitive data being captured and passed on. With millions of installations worldwide, this tried and tested solution is used by some of the largest banks and insurance companies to help them minimise their risks.

Software like this is not restricted to large financial institutions, however with most businesses who use contact centres processing personal data and payment data in some form, there is arguably a greater risk to smaller businesses. Implementing solutions such as technical endpoint protection is scalable and suitable for all sizes of business. It’s important to remember that the liability for compliance rests with the merchant, even if they use outsourced resources to process data or payments.

Have industry bodies changed their approach?

In the UK, the ICO (Information Commissioners Office) has published a lot of advice on working from home but has said little about the security of payment card data, pointing only to the Payment Card Industry Security Standards Council (PCI SSC), the body responsible for the security standards supporting the card payments ecosystem, where guidance on homeworking has been published and promoted.

The Data and Marketing Association (DMA) has not fundamentally changed its guidance for distributed workforces at this stage but encourages a systemic approach to data security and data protection. Being aware of your duty of care to front line staff to minimise their exposure is important.

Regulators will not maintain their recent light touch indefinitely and some large brands will doubtless fall foul of decisions they have made which do not mitigate risks sufficiently. By building systems that protect your staff from sensitive data, they will have to worry less about the lure of fraudulent activity and can focus more on the positive aspects of their jobs.

What about the claims industry?

As an employer, if you put your teams into a situation where they are at risk, the claims industry is likely to be preparing to catch up with you soon. Felix Clarke: “We’ve already seen articles with titles like ’17 ways you can hurt yourself working from home’ so if you inadvertently put employees into a situation where they could be hurt or discriminated against while working from home…claims will probably follow before too long.”

How can we help our teams to safely provide an excellent service to our customers?

To summarise the findings of our panel, there are a few key considerations that will help enormously to protect customers, agents and businesses:

To summarise the discussion perfectly, Steve Sullivan said “There are a lot of angry frustrated customers out there… so anything we can do to make our agents lives easier and let them focus on what they’re best at is for everybody’s benefit.”

You can hear all the insights given by our expert panel in full by watching the webinar:

Our next webinar is focused on ‘homeworking health & safety considerations and legal risks’, if you’d like to attend click here.

If you’re unsure how to assess your businesses risk exposure and how to equip it to handle any new risks posed by changeable working conditions, we can help by advising you on the risks you need to consider and the best way to mitigate them. We can also help you to learn how to work with your employees to maximise their health, happiness, and productivity. Get in touch.

When it comes to Data Adequacy, it’s been a slow process for the UK to gain full agreement from all the EU institutions and although we cannot be 100% sure, it’s now looking almost certain that the EU will deem the UK’s data protection regime ‘adequate’. This will then allow data transfers to continue between the UK and EU as it does at present. For further detail from ICO click here.

The lawyers’ lament

An ‘adequacy’ decision is one of the most important rulings needed to ensure uninterrupted trade in data and services for the UK with the EU, post-Brexit. Without this decision, thousands of individual contractual arrangements would have to be created to cover companies needing to transfer personal data between the UK and EU and vice versa. As we’ve explained before, aside from all the business process disruption that would be caused if the UK’s data protection regime was to be ruled inadequate, there would be a massive, direct legal cost – as covered in our previous article. The New Economics Forum estimated in a recent report that the legal work necessary without an adequacy decision would have cost British businesses between £1bn and £1.6bn. Listen carefully and you can hear the quiet sobbing of contract lawyers missing out on all that work. Tragic!

Transatlantic troubles

So, the adequacy decision is great news, but here’s something else to worry about.

The Privacy Shield was an arrangement designed to provide a mechanism for personal data to compliantly flow between companies in the US and the EU. However, the framework collapsed last summer after being ruled invalid by the European Court of Justice in the Schrems II case – for details click here

You might not directly deal in the personal data of individuals in the US, but it would be a rarity for an organisation not to use any US based technology or solutions that make use of data centres in the US. If so, then you need to address this challenge. Remember, the legal definitions of data processing are extremely broad, so having static data in storage in the US or even being visible on an ad hoc basis to a support engineer working on a case both count as ‘processing’.

There are many organisations that still haven’t managed to create alternative arrangements to transfer personal data across the Atlantic. The EU is working on a replacement for the Privacy Shield, but there is no guarantee this can be agreed any time soon. The data protection regulators, like the Information Commissioner’s Office in the UK, aren’t rushing to penalise companies still transferring data under pre-existing arrangements. But those legacy arrangements aren’t compliant and your business partners, clients and risk management colleagues are all likely to start looking for businesses to put a solution in place.

More work for you and the lawyers!

To create a solution you will probably be reliant on using Standard Contractual Clauses (SCCs) as the basis for transferring data legally. SCC’s are a type of agreed and boilerplated legal solution that provides an outline framework to ensure that both parties are handling data compliantly, onto which the specific business and process details are added. Unfortunately, the SCCs are in the process of being amended and updated – for further information click here.

There are draft new versions you can make use of, but you might find that your commercial law firm will soon need to change them again if the final version is different. So, more cost and more uncertainty, but good news for those work-deprived contract lawyers.

With homeworking becoming a daily reality for many workers who had traditionally been based from the office, the parameters by which businesses need to be managed and protected has changed.

From early on in the pandemic, most large organisations have made it possible for their staff to work from home, only visiting the office when necessary. Although this new flexible way of working has had many benefits, it has also led to a far wider variety of data security and personal health risks across the distributed workforce.

A recent BBC article highlighted the main cybersecurity issues, although none of which come as a big surprise. The most interesting facts and statistics were:

In addition to this, many organisations have successfully moved their workforces into the home, after adapting or redesigning their business processes and corporate systems to enable productive working, are up against a potential legislative ticking time bomb in relation to remote workplace safety.

Where there’s blame…

The UK claims industry has not had an easy time of it recently. With only a few exceptions, the door is now firmly shut for PPI claims and planned changes to the whiplash claims process will further curtail revenue opportunities.

What is next for the claims sector? Will it be class actions against companies by groups of employees who have been forced to work in unsuitable home environments?

While the home environment has, before 2020, been the homeowner’s domain, it is now the workplace. Any accidental damage caused by trailing cables, poorly placed computers, unsuitable seating might now fall on the employer to address. Then add to that the potential mental damage caused by having to balance work and family commitments within a confined space. The claims industry could have a field day!

What should your business be doing about it?

It is essential your business acts now and puts your company in a defendable position.

The failure of organisations to fully document a ‘risk assessment’ against not being able to meet your organisations obligations under the Data Protection Act 2018 and the Health and Safety at Work Act 1974, may not be an easy position to defend.

Both these pieces of legislation make very clear what an organisation’s responsibilities are for them to comply with the Act and keep both data and people safe.

Recording decision making actions, particularly at Board level, that are reasonable, proportionate and timely will help create the defendable position that insurers will look for when defending a potential claim.

Do not believe for one minute that the claims industry are not preparing themselves for this and do not think that your organisation is immune. Ensuring that your organisational risk documentation is complete and that words and actions are aligned to what could be considered a reasonable timeline, will be essential components of a defendable position.

Help your team to work with you

In short, homeworking is here to stay. Businesses have shifted and employees have become accustomed to the ‘new norm’. However, it’s not plain sailing yet as mistakes are being made and so far, most organisations are getting away with them. Don’t be the organisation in the first batch of ‘class actions’ because of lack of timely decision making and appropriate, proportionate and timely actions.

By working with your team to provide a safe and productive homeworking environment, with protected systems and structured support, your business can be a home-based success. Your team can grow and thrive, knowing what to do if problems occur and feeling supported in their work.

If you’re unsure how to assess the risks posed by homeworking and how to equip your business to deal with them, get in touch. We can advise you on what areas need to be considered and how to mitigate risk. We can also provide tips on how to work with your staff to maximise their health, happiness and productivity.

So, at the last minute and just in time for Christmas, the EU and UK agreed a post-transition Brexit trade deal. If you read our article published just a few days before Boris and Ursula settled their fish-based disputes, then you would hope that the deal included the vital EU ‘adequacy’ ruling on UK personal data protection rules. Unfortunately, this was not the case.

The parties have agreed a 4-to-6-month extension to the current arrangements, so personal data can continue to flow between the UK and the EU, but that looks like the final extension.

What does ‘Processing Personal Data’ really mean?

It is a broad definition. ‘Personal data’ is essentially anything that can be used to identify a real, living person and ‘Processing’ covers just about any activity that involves that data. It is not just for the use of communications e.g. making calls, sending emails and messaging on social channels, but analyse, segmentation and even simple data back-up on storage can count as processing.

Implications of a no adequacy ruling

If the EU does not give the UK an ‘adequacy ruling’ then, as stated by the government, the implications for data handling are that UK data being passed to Europe will be covered by existing laws, but if EU data is sent to the UK, it could contravene data privacy regulations. For pan-European operations, this will pose serious new risks.

If the UK’s rules are not considered adequate by the EU, then a raft of new contractual arrangements using Standard Contractual Clauses (SCCs) will be required. According to a report from the New Economics Foundation and UCL European Institute ‘The Cost of Inadequacy’, “the aggregate cost to UK firms would likely be between £1 billion and £1.6 billion”. Most of which would be the cost of commercial legal work to implement the necessary SCCs.

Are you feeling lucky?

So, should you start to worry about this now and give your lawyers a call?

You may well imagine that as the UK uses the EU-wide General Data Protection Regulation (GDPR) as the basis for its data protection rules and the 2018 Data Protection Act, then the European Commission would have no alternative than to grant the UK an ‘adequacy’ ruling. But that is not the case. A large number of data privacy professionals and data right groups argue that the UK does not reflect EU standards in its collection and processing of personal data, especially in the areas of national security and data sharing with other friendly states, so shouldn’t be granted ‘adequacy’. It is worth noting that the European Commission has so far ruled only a small number of countries’ personal data protection to be adequate (Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay).

Do not forget the Privacy Shield

In the meantime, if you have clients in the USA or use technology solutions with data centres in the US, there is something else you need to pay attention to. Since 2016 an arrangement agreed between the US government and the EU called the ‘Privacy Shield’ provided a framework for US and EU companies to compliantly transfer personal data across the Atlantic. Last summer the Privacy Shield collapsed when the European Court of Justice ruled it invalid over concerns that US corporations are subject to making personal data available to US Government agencies.
This may seem like old news, but many organisations are only just waking up to the implications of it. For most companies, there is a solution that will allow appropriate personal data transfers to continue, but unfortunately, once again that is likely to be reliant on Standard Contractual Clauses, lawyers and considerable expense.

What to do?

To manage your risks there are two key pieces of advice we can give to all businesses who use private data in any way, whether for outbound sales, customer service or sales order processing:

As a last consideration, check all your IT service providers. Do you really know where your call recordings and network data backups are stored? Identifying where your data is held is essential. If hosted in the cloud then find out where the data servers are located and if your technology provider is unable to provide this information, then your business could be at risk and alternatives should be considered.

If you are unsure how to assess your risks and responsibilities now the UK has left the EU, get in touch. We can advise you about the risks you need to consider and potential ways to mitigate them.

As we head towards the end of December 2020, it is looking increasingly likely that Britain will leave the EU without a deal, or with an “Australia type deal” as described in some parts of the press. Although GDPR has been passed into UK law in the Data Protection Act 2018, leaving the EU without a deal will have some significant implications for how the rules around data privacy will apply in the UK in 2021.

The UK Government’s current stance is that ‘The EU is conducting a data adequacy assessment of the UK. If the EU grants positive adequacy decisions by 1 January 2021, it would mean that personal data can flow freely from the EU/EEA to the UK, as it does now, without any action by organisations.’

However, if we leave without a deal and the EU hasn’t given us an “adequacy ruling” then, as stated by the government, the implications for data handling are that UK data being passed to Europe will be covered by existing laws, but if EU data is sent to the UK, it could contravene data privacy regulations. For pan-European operations, this might pose serious new risks.

What is the UK’s data privacy situation as we leave the EU?

If the UK’s rules aren’t considered adequate by the EU, then a raft of new contractual arrangements using Standard Contractual Clauses (SCCs) will be required. This is according to a report from the New Economics Foundation and UCL European Institute ‘The Cost of Inadequacy’. The report estimates “The aggregate cost to UK firms would likely be between £1 billion and £1.6 billion.”, most of which would be the cost of commercial legal work to implement the necessary SCCs.

Add to this, the arrangement between the US and EU called the ‘Privacy Shield’ which was struck down by the EU over concerns that US corporations are subject to making data available to US Government agencies, which the EU considers a data risk. This creates additional implications for data sharing wider than the EU and UK in the western hemisphere.

How can you prepare to be Data Privacy compliant?

The EU has released some draft Standard Contractual Clauses which data controllers and processors can use to remain compliant in 2021 and beyond. Already, several commercial law firms are preparing advice which data owners can use to assess their position with respect to data from the UK, EU and other countries including the US. This may come at a price, so here is a very summary of the impacts that we expect to see:

If you have UK data which you store and process in the UK, your operations are not likely to be affected in the short term, as long as they are already compliant.

If you have UK data which is stored or processed in the EU, you are also not likely to be significantly affected in the short term. The EU’s rules should be enough to protect you against the most likely risks.

If you have EU data which you store and/or process in the UK, you should review your risks and the new SSCs may be needed to assure your compliance. This will apply if you use many nearshore outsourced customer service or data processing teams.

If you are a global operation with data from different regions which is transferred across borders, your situation may be complex and will need looking at carefully.

What is best practise in tomorrow’s data handling world?

To manage your risks there are two key pieces of advice we can give to all businesses who use private data in any way, whether for outbound sales, customer service or sales order processing:

  1. Minimise the amount of data you store per contact. The less data you store, the less likely it is to get you in trouble. Avoid storing risky data such as payment details unless absolutely necessary to your business model.
  2. Minimise the places you hold data. If your data is stored and processed in only one location, the amount of regulation is minimised. Also, the lower number of transfers your data has to undergo, the lower the risk of breaches of privacy, or indeed of your business inadvertently falling foul of the regulations in one region or another.

As a last consideration, check all your IT service providers. Do you really know where your call recordings and network data backups are stored? Identifying where your data is held is essential. If hosted in the cloud then find out where the data servers are located and if your technology provider is unable to provide this information, then your business could be at risk and alternatives should be considered.

If you’re unsure how to assess your risks and prepare for your future once the UK leaves the EU, get in touch. We can advise you about the risks you need to consider and potential ways to mitigate them.