When it comes to Data Adequacy, it’s been a slow process for the UK to gain full agreement from all the EU institutions and although we cannot be 100% sure, it’s now looking almost certain that the EU will deem the UK’s data protection regime ‘adequate’. This will then allow data transfers to continue between the UK and EU as it does at present. For further detail from ICO click here.

The lawyers’ lament

An ‘adequacy’ decision is one of the most important rulings needed to ensure uninterrupted trade in data and services for the UK with the EU, post-Brexit. Without this decision, thousands of individual contractual arrangements would have to be created to cover companies needing to transfer personal data between the UK and EU and vice versa. As we’ve explained before, aside from all the business process disruption that would be caused if the UK’s data protection regime was to be ruled inadequate, there would be a massive, direct legal cost – as covered in our previous article. The New Economics Forum estimated in a recent report that the legal work necessary without an adequacy decision would have cost British businesses between £1bn and £1.6bn. Listen carefully and you can hear the quiet sobbing of contract lawyers missing out on all that work. Tragic!

Transatlantic troubles

So, the adequacy decision is great news, but here’s something else to worry about.

The Privacy Shield was an arrangement designed to provide a mechanism for personal data to compliantly flow between companies in the US and the EU. However, the framework collapsed last summer after being ruled invalid by the European Court of Justice in the Schrems II case – for details click here

You might not directly deal in the personal data of individuals in the US, but it would be a rarity for an organisation not to use any US based technology or solutions that make use of data centres in the US. If so, then you need to address this challenge. Remember, the legal definitions of data processing are extremely broad, so having static data in storage in the US or even being visible on an ad hoc basis to a support engineer working on a case both count as ‘processing’.

There are many organisations that still haven’t managed to create alternative arrangements to transfer personal data across the Atlantic. The EU is working on a replacement for the Privacy Shield, but there is no guarantee this can be agreed any time soon. The data protection regulators, like the Information Commissioner’s Office in the UK, aren’t rushing to penalise companies still transferring data under pre-existing arrangements. But those legacy arrangements aren’t compliant and your business partners, clients and risk management colleagues are all likely to start looking for businesses to put a solution in place.

More work for you and the lawyers!

To create a solution you will probably be reliant on using Standard Contractual Clauses (SCCs) as the basis for transferring data legally. SCC’s are a type of agreed and boilerplated legal solution that provides an outline framework to ensure that both parties are handling data compliantly, onto which the specific business and process details are added. Unfortunately, the SCCs are in the process of being amended and updated – for further information click here.

There are draft new versions you can make use of, but you might find that your commercial law firm will soon need to change them again if the final version is different. So, more cost and more uncertainty, but good news for those work-deprived contract lawyers.

With homeworking becoming a daily reality for many workers who had traditionally been based from the office, the parameters by which businesses need to be managed and protected has changed.

From early on in the pandemic, most large organisations have made it possible for their staff to work from home, only visiting the office when necessary. Although this new flexible way of working has had many benefits, it has also led to a far wider variety of data security and personal health risks across the distributed workforce.

A recent BBC article highlighted the main cybersecurity issues, although none of which come as a big surprise. The most interesting facts and statistics were:

In addition to this, many organisations have successfully moved their workforces into the home, after adapting or redesigning their business processes and corporate systems to enable productive working, are up against a potential legislative ticking time bomb in relation to remote workplace safety.

Where there’s blame…

The UK claims industry has not had an easy time of it recently. With only a few exceptions, the door is now firmly shut for PPI claims and planned changes to the whiplash claims process will further curtail revenue opportunities.

What is next for the claims sector? Will it be class actions against companies by groups of employees who have been forced to work in unsuitable home environments?

While the home environment has, before 2020, been the homeowner’s domain, it is now the workplace. Any accidental damage caused by trailing cables, poorly placed computers, unsuitable seating might now fall on the employer to address. Then add to that the potential mental damage caused by having to balance work and family commitments within a confined space. The claims industry could have a field day!

What should your business be doing about it?

It is essential your business acts now and puts your company in a defendable position.

The failure of organisations to fully document a ‘risk assessment’ against not being able to meet your organisations obligations under the Data Protection Act 2018 and the Health and Safety at Work Act 1974, may not be an easy position to defend.

Both these pieces of legislation make very clear what an organisation’s responsibilities are for them to comply with the Act and keep both data and people safe.

Recording decision making actions, particularly at Board level, that are reasonable, proportionate and timely will help create the defendable position that insurers will look for when defending a potential claim.

Do not believe for one minute that the claims industry are not preparing themselves for this and do not think that your organisation is immune. Ensuring that your organisational risk documentation is complete and that words and actions are aligned to what could be considered a reasonable timeline, will be essential components of a defendable position.

Help your team to work with you

In short, homeworking is here to stay. Businesses have shifted and employees have become accustomed to the ‘new norm’. However, it’s not plain sailing yet as mistakes are being made and so far, most organisations are getting away with them. Don’t be the organisation in the first batch of ‘class actions’ because of lack of timely decision making and appropriate, proportionate and timely actions.

By working with your team to provide a safe and productive homeworking environment, with protected systems and structured support, your business can be a home-based success. Your team can grow and thrive, knowing what to do if problems occur and feeling supported in their work.

If you’re unsure how to assess the risks posed by homeworking and how to equip your business to deal with them, get in touch. We can advise you on what areas need to be considered and how to mitigate risk. We can also provide tips on how to work with your staff to maximise their health, happiness and productivity.

So, at the last minute and just in time for Christmas, the EU and UK agreed a post-transition Brexit trade deal. If you read our article published just a few days before Boris and Ursula settled their fish-based disputes, then you would hope that the deal included the vital EU ‘adequacy’ ruling on UK personal data protection rules. Unfortunately, this was not the case.

The parties have agreed a 4-to-6-month extension to the current arrangements, so personal data can continue to flow between the UK and the EU, but that looks like the final extension.

What does ‘Processing Personal Data’ really mean?

It is a broad definition. ‘Personal data’ is essentially anything that can be used to identify a real, living person and ‘Processing’ covers just about any activity that involves that data. It is not just for the use of communications e.g. making calls, sending emails and messaging on social channels, but analyse, segmentation and even simple data back-up on storage can count as processing.

Implications of a no adequacy ruling

If the EU does not give the UK an ‘adequacy ruling’ then, as stated by the government, the implications for data handling are that UK data being passed to Europe will be covered by existing laws, but if EU data is sent to the UK, it could contravene data privacy regulations. For pan-European operations, this will pose serious new risks.

If the UK’s rules are not considered adequate by the EU, then a raft of new contractual arrangements using Standard Contractual Clauses (SCCs) will be required. According to a report from the New Economics Foundation and UCL European Institute ‘The Cost of Inadequacy’, “the aggregate cost to UK firms would likely be between £1 billion and £1.6 billion”. Most of which would be the cost of commercial legal work to implement the necessary SCCs.

Are you feeling lucky?

So, should you start to worry about this now and give your lawyers a call?

You may well imagine that as the UK uses the EU-wide General Data Protection Regulation (GDPR) as the basis for its data protection rules and the 2018 Data Protection Act, then the European Commission would have no alternative than to grant the UK an ‘adequacy’ ruling. But that is not the case. A large number of data privacy professionals and data right groups argue that the UK does not reflect EU standards in its collection and processing of personal data, especially in the areas of national security and data sharing with other friendly states, so shouldn’t be granted ‘adequacy’. It is worth noting that the European Commission has so far ruled only a small number of countries’ personal data protection to be adequate (Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay).

Do not forget the Privacy Shield

In the meantime, if you have clients in the USA or use technology solutions with data centres in the US, there is something else you need to pay attention to. Since 2016 an arrangement agreed between the US government and the EU called the ‘Privacy Shield’ provided a framework for US and EU companies to compliantly transfer personal data across the Atlantic. Last summer the Privacy Shield collapsed when the European Court of Justice ruled it invalid over concerns that US corporations are subject to making personal data available to US Government agencies.
This may seem like old news, but many organisations are only just waking up to the implications of it. For most companies, there is a solution that will allow appropriate personal data transfers to continue, but unfortunately, once again that is likely to be reliant on Standard Contractual Clauses, lawyers and considerable expense.

What to do?

To manage your risks there are two key pieces of advice we can give to all businesses who use private data in any way, whether for outbound sales, customer service or sales order processing:

As a last consideration, check all your IT service providers. Do you really know where your call recordings and network data backups are stored? Identifying where your data is held is essential. If hosted in the cloud then find out where the data servers are located and if your technology provider is unable to provide this information, then your business could be at risk and alternatives should be considered.

If you are unsure how to assess your risks and responsibilities now the UK has left the EU, get in touch. We can advise you about the risks you need to consider and potential ways to mitigate them.

As we head towards the end of December 2020, it is looking increasingly likely that Britain will leave the EU without a deal, or with an “Australia type deal” as described in some parts of the press. Although GDPR has been passed into UK law in the Data Protection Act 2018, leaving the EU without a deal will have some significant implications for how the rules around data privacy will apply in the UK in 2021.

The UK Government’s current stance is that ‘The EU is conducting a data adequacy assessment of the UK. If the EU grants positive adequacy decisions by 1 January 2021, it would mean that personal data can flow freely from the EU/EEA to the UK, as it does now, without any action by organisations.’

However, if we leave without a deal and the EU hasn’t given us an “adequacy ruling” then, as stated by the government, the implications for data handling are that UK data being passed to Europe will be covered by existing laws, but if EU data is sent to the UK, it could contravene data privacy regulations. For pan-European operations, this might pose serious new risks.

What is the UK’s data privacy situation as we leave the EU?

If the UK’s rules aren’t considered adequate by the EU, then a raft of new contractual arrangements using Standard Contractual Clauses (SCCs) will be required. This is according to a report from the New Economics Foundation and UCL European Institute ‘The Cost of Inadequacy’. The report estimates “The aggregate cost to UK firms would likely be between £1 billion and £1.6 billion.”, most of which would be the cost of commercial legal work to implement the necessary SCCs.

Add to this, the arrangement between the US and EU called the ‘Privacy Shield’ which was struck down by the EU over concerns that US corporations are subject to making data available to US Government agencies, which the EU considers a data risk. This creates additional implications for data sharing wider than the EU and UK in the western hemisphere.

How can you prepare to be Data Privacy compliant?

The EU has released some draft Standard Contractual Clauses which data controllers and processors can use to remain compliant in 2021 and beyond. Already, several commercial law firms are preparing advice which data owners can use to assess their position with respect to data from the UK, EU and other countries including the US. This may come at a price, so here is a very summary of the impacts that we expect to see:

If you have UK data which you store and process in the UK, your operations are not likely to be affected in the short term, as long as they are already compliant.

If you have UK data which is stored or processed in the EU, you are also not likely to be significantly affected in the short term. The EU’s rules should be enough to protect you against the most likely risks.

If you have EU data which you store and/or process in the UK, you should review your risks and the new SSCs may be needed to assure your compliance. This will apply if you use many nearshore outsourced customer service or data processing teams.

If you are a global operation with data from different regions which is transferred across borders, your situation may be complex and will need looking at carefully.

What is best practise in tomorrow’s data handling world?

To manage your risks there are two key pieces of advice we can give to all businesses who use private data in any way, whether for outbound sales, customer service or sales order processing:

  1. Minimise the amount of data you store per contact. The less data you store, the less likely it is to get you in trouble. Avoid storing risky data such as payment details unless absolutely necessary to your business model.
  2. Minimise the places you hold data. If your data is stored and processed in only one location, the amount of regulation is minimised. Also, the lower number of transfers your data has to undergo, the lower the risk of breaches of privacy, or indeed of your business inadvertently falling foul of the regulations in one region or another.

As a last consideration, check all your IT service providers. Do you really know where your call recordings and network data backups are stored? Identifying where your data is held is essential. If hosted in the cloud then find out where the data servers are located and if your technology provider is unable to provide this information, then your business could be at risk and alternatives should be considered.

If you’re unsure how to assess your risks and prepare for your future once the UK leaves the EU, get in touch. We can advise you about the risks you need to consider and potential ways to mitigate them.

India’s regulations governing outsourcers have recently been relaxed, making it much easier for contact centre agents to work from home and lowering the barriers to entry for businesses wanting to offer outsourced services from India. What does this mean for businesses using outsourced labour to meet customer service demand?

The slimmed-down regulations, announced earlier this month, mean that Indian outsourcers do not now need to register their premises, whereas previously every office used by an outsourcer was required to go through a registration process. There is also no longer any need to give static IP addresses for all operatives and the previously required bank guarantee per seat has been abolished.

This means that outsources in India can now create wide VPNs enabling voice and data to be shared throughout the country and across other countries too.

On the positive side, the new regulations mean that Indian outsources will be able to react to the global shift towards homeworking and counter the move by businesses to move their operations back onshore, nearshore or inhouse, which could potentially have a devastating effect on India’s huge outsourcing sector.

What do you need to know?

Amazingly for any UK reader, the new regulations span just eight pages. You can read the entire document as published by the Ministry of Communications, Government of India, 5th November 2020, in a few minutes here.

Although there are requirements to make call data, secure system access logs and other details available on request, there is no obligation to submit these regularly or register them in advance. The emphasis in the new regulations is on correction rather than prevention of issues.

Is your business outsourcing to India?

These new regulations may make it easier for poorly managed or even unscrupulous operators to work more easily in India. However, it is important to consider that they also make working from home practical for an industry that needs to adapt to a rapid global shift in the way contact centres work.

If you are using Indian outsourced service providers, ensure that their own operating parameters reflect what you need. Seek assurances that data is handled securely and that their systems are safe. Many established outsourcers will already have implemented good data handling and security infrastructures. Make sure that your customer data is safeguarded.

In short, there is no need to stop using reputable outsourced contact centres or remote business process handling. There is, however, an increased pressure to obtain the assurance that your customers’ data is, and will continue to be, handled securely and safely.

Want to assess your potential risk?

If you are unsure how to assess your risks with offshoring parts of your operations, we can help? We have a team of experts who can advise and assess your operation and if required, a network of fully vetted reputable outsource contact centres and technology providers who can provide alternative options to ensure your operations are safe and secure.

Contact centres, call centres and telemarketing agencies are under pressure right now to get their houses in order when it comes to the security of sensitive customer data. Under normal circumstances, the telecoms and IT systems that enable agents to handle calls, emails, chats and social communications are protected within the secure corporate perimeter. Covid-19, however, has forced a rapid exodus from physical offices and agents are working remotely on devices, many of which are not suitable for combating cyber crime.

Lock down happened quickly and for insurance and banking contact centres, still heavily dependent on legacy systems, the remote working model is not generally supported. This has meant that all too many of their agents have been using laptops, tablets, home PCs and personal smartphones that have either no up-to-date security, or software that is not designed to protect customer data and therefore compromising organisations obligations under the DPA 2018 and the PCI DSS.

Cyber criminals have seized the opportunity

Research from numerous security organisations and government agencies confirms the rise in cyber crime activity since March and for companies holding digital data on customers, there will have been a higher than average likelihood of being hit.

Attacks have come in a variety of insidious ways from phishing and ransomware through to key logging, which is malware that tracks every key as it enters the system. Human fallibility is a factor in whether these attacks succeed, however, it is endpoint devices – laptops and smartphones for example – that put companies and their data most at risk. According to the 2019 Endpoint Security Report, 70 per cent of cyber breaches originate at the endpoint, and 42% of endpoints are unprotected at any given time. When it comes to smartphones, the risk is not so much malware, but data leakage, but regardless of how the breach happens, once a customer’s personal data is exposed, there are serious implications for those involved.

Working within the PCI DSS requirements

There is an additional pressure for organisations taking card payments, who are obliged to meet the Payment Card Industry Data Security Standard (PCI DSS). This protects customer credit card data over landlines, mobile phones, through Chat or use of apps. Contact and call centres use processes, technologies to manage this, ensuring that wherever agents process cardholder data, the transactions are monitored, logged and secured, however the supporting processes and technology are within their physical estates.

Not every organisation is fully meeting its PCI DSS obligations, and adherence has become more sporadic over the last few months, but the contact and call centre industry needs to take this seriously. Any chink in their armour could result in data being stolen within seconds. While compliance to the PCI DSS is a contractual obligation with the acquiring bank, payment card data is treated by Data Regulators as personal data. Which means that in the event of a data compromise organisations should expect  payment card scheme penalties (up to €18.00 per card exposed) as well as fines from the Information Commissioners Office (ICO) and the potential of unlimited ‘class actions’ from card holders. As payment card data is more attractive to criminals than other common forms of personal data, having card data present in unsecured systems represents a significant risk as data breaches are commonly reported, there is the potential for serious brand and reputation damage that no company would welcome. All the more reason, therefore, for agents working remotely to be equipped with technology that protects them and their customers, and this includes secure endpoints.

Put in place comprehensive protection of data

Remote working is likely to continue for the immediate future, so the smartphones, tablets, home PCs or laptops that are being used by agents to process and access customer data should have, at the very least, the same security posture as the managed devices that reside within the company perimeter. This includes making sure that SaaS applications are isolated or ‘containerised’ from any potentially compromised unmanaged machines or endpoints.

The vulnerability of endpoints means that solutions have to specifically protect data entry, particularly into remote access apps, web browsers and Microsoft Office applications. Browsers that access the corporate network should be locked down, including URL whitelisting, enforced certificate checking and enforced https.

Whilst this is a comprehensive approach, it is neither time-consuming or costly. A simple download and install from pre-configured software will provide an effective and rapid resolution to the threat. Call centre IT managers can select proven anti-key logging software that can protect every keystroke into any application and prevent screen-scraping malware from stealing customer credentials, payment and sensitive personal and credit card data and be sure that they are compliant with PCI.

Covid-19 is no longer an excuse for sub-standard service

As we begin to get back to a ‘new normal’, banks and insurance company customers will be looking for the highest standards from their financial services providers, regardless of whether the agent they speak to is working in a physical call centre environment, or at home. Covid-19 will no longer be an acceptable reason for not delivering a secure, compliant service. The contact centre industry must address areas of weakness and put in place the necessary procedures so that agents and customers can be confident that they, and their data, are fully protected.

Need help protecting your customer data?

If you would like to know more about the technologies that are available to help protect your customer data, the team at Contact Centre Panel can help. We have built a technology network to help businesses to source the ‘right fit’ providers, who can best meet their needs. This is a free of charge service and includes expert advice and guidance from our technology experts.

There are lots of definitions available about the meaning of governance, with some strong words such as authority, bureaucracy, command, control, direction, domination, dominion, empire, execution, executive, guidance and influence – but for me, it is simply having a structure to measure successes and opportunities with awareness and accountability.

You can download plenty of advice from the internet along with handbooks and frameworks, with good governance at the heart of any successful business. Effective governance is essential for a company or organisation to achieve its objectives and drive improvement, as well as maintain legal and ethical standing in the eyes of shareholders, regulators and the wider community.

So how has the current pandemic changed people’s view on governance?

From my past experience governance used to mean a monthly face-to-face meeting with some senior representatives from the business and its partners, where failings would be highlighted. Action plans were created, which usually resulted in a poor experience and a noneffective or productive use of time.

Thankfully over time, our approach to managing governance has improved, having experience of writing governance schedules for contracts and then ensuring full roll out I have clearly seen the benefits of getting it right.

Communication is key

Governance should be a two-way street with joint accountabilities and a clear path to working together to deliver the desired outcomes for the customer and both parties. It should be a method by which clear and transparent communication takes place, ensuring everyone has the same understanding and that the activity, once embedded, delivers gains and is a vehicle to celebrate success.

Particularly important right now is the content and frequency of governance sessions. Wouldn’t it be great for your partner to come to you with regular updates on customer sentiment and opportunities to add value? You may already have this in place but is the governance there to back up the statements and ensure effective decisions are being made based on proven insight? Have you got full transparency on operational performance during a time when a large proportion of staff are working from home?

Is there governance in place to track not only productivity but also data security, value add, innovation etc.? Insight provided through the correct governance framework will be invaluable right now and inform the future customer experience along with contact channels and product mix.

The ingredients of a good governance model

Having a strong governance model not only helps maintain a consistent and high level of service for your customers but also strengthens your partner relationships by allowing open dialogue to jointly work through areas of priority in an ever-changing environment.

If you are looking to create a governance model that fits your requirements right now, I would advise that you consider the following:

  1. Purpose – What do you want to achieve from the governance framework? Is it to review metrics, provide updates or review the relationship? Make sure you are clear from the start to manage expectations. You may want several independent governance frameworks – depending on the size and complexity of the relationship.
  2. Frequency – Depending on the purpose you may have a series of interactions. Most will be periodic but also plan for the unexpected and build in flex.
  3. Method – Long gone are the days when all governance meetings took place face-to-face thankfully! A daily SMS is sufficient for quick performance updates and an in-depth monthly Zoom or Teams meeting works well.
  4. Attendees – Aim to get a mixture of decision-makers and those accountable for the objectives, plus someone to take a note of the actions and assign owners.
  5. Escalation routes – Be clear on the strategy for when the outcome is not what was expected. All too often I see companies continue in a circle of raising an issue in a governance meeting and not really resolving it and then it appears the month after.

Good practice has shown that it is never too late to take a review of your existing governance framework and adjust to suit the current situation. Being flexible and transparent will ensure the best outcomes are delivered for all parties.

Try to focus your objectives around trust and integrity, innovation for successful services and delivering value. Times are changing and so should your approach to effective governance.

If you need any support with your own governance approach or some ideas for alternative frameworks to suit your needs, get in touch as we can help.

Although there are presently no reliable statistics, it is our understanding, from talking to our contact centre partner network and clients, that hundreds of thousands of contact centre based agents are now handling customer contacts from home.

Amidst all the uncertainty, distress and economic damage that Coronavirus is causing, there have been some positive outcomes. One of these is the impressive way in which the planning and implementation of large technology projects, like the mass shift to home working, has been achieved in only a few short weeks.

However, contact centres who have moved quickly to wholly distribute their workforce are still faced with massive operational challenges including erratic levels of demand, huge changes to channel usage and how to engage, motivate and support staff without a physical connection. But there are also key and often pressing regulatory and compliance questions to be understood and addressed.

How do you prioritise?

Having the responsibility for maintaining customer experience and engagement in the new ‘virtual’ contact centre is a particularly tough task. So, who has the time to ponder what the contact centre homeworking compliance issues are?

Increased risk exposure

In these times of rapid change, meeting compliance and regulatory needs must be underpinned by a focus on prioritisation. Many areas need to be reviewed and changes made, but while some can wait, others really cannot.

The simplest approach is to take a risk-based view. For most organisations, their biggest risk and exposure through contact centre homeworking is not regulatory, it is criminal.

Although many brands and customer management service providers have responded very quickly to Covid-19, criminals and fraudsters have been quicker still.

Fraud

Home-based workers, remote from their usual support and information sources, are potentially vulnerable to fraudsters. To add to this risk, many customers are being faced with new personal and financial challenges. Whilst, organisations are having to handle an increased level of demanding and emotional contacts. Criminals will exploit this emotionally charged time, by emulating stressed customers to gain leverage and access to sensitive information.

If data and payment management systems and processes are already insufficiently secure, there is the additional danger that employees may be persuaded or threatened to copy and share data. Data security flaws in a traditional contact centre environment will be just amplified in a home-based environment.

Data Protection and the Information Commissioner’s Office (ICO)

The ICO realises that it needs to avoid standing in the way of organisations’ Covid-19 coping strategies. The ICO has said “We understand that resources, whether they are finances or people, might be diverted away from usual compliance or information governance work. We won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period”.
Specifically, on homeworking the ICO says “data protection is not a barrier to increased and different types of homeworking”. The following excerpt from their own information states:

More of our staff will be homeworking during the pandemic. What kind of security measures should my organisation have in place for homeworking during this period?

Data protection is not a barrier to increased and different types of homeworking. During the pandemic, staff may work from home more frequently than usual and they can use their own device or communications equipment. Data protection law doesn’t prevent that, but you’ll need to consider the same kinds of security measures for homeworking that you’d use in normal circumstances.

This is an empathetic stance but data protection can create a business process hurdle that organisations need to clear. The ICO’s ‘softly-softly’ approach to enforcement suggests that homeworking can be implemented now without an onerous review of data protection rules and procedures, but that work will need to be done as soon as you can. Create a diary note
Anecdotally, some contact centres have reported increased contact and conversion rates on their proactive outbound calling. More generally a largely captive nation of consumers is encouraging some businesses in specific sectors to accelerate their marketing efforts. If these opportunities require either the acquisition of 3rd party prospect data or new/extended proactive contact methods and channels (phone, email, social), then organisations need to tread warily. The use of inappropriate or non-compliant data sources and misuse of communication channels, against Ofcom or PECR rules, can leave organisations wide open to fines, reputational damage and the closure of revenue streams.

Payments

Contact Centre Panel’s John Greenwood has already highlighted the risks of not ensuring that card payments taken by homeworking staff are PCI-DSS compliant, as detailed in our recent article. Remember, the ICO explicitly states that in the event of a data breach then if an organisation has failed to follow the PCI-DSS rules, then the ICO will hold that against them.

The ICO states; “Although compliance with the PCI-DSS is not necessarily equivalent to compliance with the GDPR’s security principle, if you process card data and suffer a personal data breach, the ICO will consider the extent to which you have put in place measures that PCI-DSS required particularly if the breach related to a lack of particular control or process mandated by the standard.”

Insurance

The insurance industry, in part due to government encouragement, has responded flexibly and helpfully to business change in the face of Covid-19. Most insurers have extended liability cover to include staff now working from home, as well as continuing to cover IT equipment (all those newly purchased laptops!) now located in employees’ homes rather than in offices.

However, it is best to check with your business broker or insurer to ensure you are covered.

Health and Safety

The Health & Safety Executive requires employers to conduct workstation assessments of staff using Display Screen Equipment (DSE), whether staff are office or home-based. The HSE says that there is not a requirement if staff are working from home ‘temporarily’, but as time goes on some contact centre home working is likely to feel semi-permanent.

Beyond DSE, the Health & Safety Executive states that employers must consider:

• How will you keep in touch with them?
• What work activity will they be doing (and for how long)?
• Can it be done safely?
• Do you need to put control measures in place to protect them?

This applies whether the home working arrangement is permanent or just for the short-term. The best contact centre employers are mindful of this, but there are financial and health risks to both employees and employers if these measures are not in place.

Wellbeing

Although it is not really hit the regulatory radar, yet, many contact centres have been at the forefront of recent initiatives to recognise the importance of maintaining good mental health in the workforce. At a time of societal change and increased awareness of anxiety and stress, the importance of the role employers play in helping staff remain focused and effective has never been greater. Ensuring the continued emotional support of contact centre staff, at all levels, needs to be maintained in parallel with working out how best to maintain motivation, morale and operational performance.

Contact Centre Panel Network members are subject to compliance reviews. To join and then remain a partner they need to have the right level of expertise to navigate the rules and regulations needed to ensure that marketing and communication efforts remain compliant.

How can CCP help?

We have a team of specialists able to advise, clients and network members, on data compliance, the latest industry regulations, and best practice. Our services also extend to marketing data sourcing, contact centre training and engagement, wellbeing and secure payment processing.

Interview with John Greenwood, Head of Technology & PCI Compliance.

As many businesses are forced into homeworking, the need for remote access to internal systems to enable home-based agents to provide a full service has never been higher.Companies who can adapt quickly will improve their chances of long-term survival, emerging from this crisis with higher customer satisfaction and lower attrition rates.

We spoke to our very own John Greenwood, lead contributor to the PCI SSC Information Supplement (Protecting telephone-based payment card data) and authority on payments compliance in the contact centre and BPO (Business Process Outsourcing) sector. We asked John what advice he would give to organisations with customer service teams on coping with these pressures and his tips on how to rapidly build an improved operation for the future.

What new challenges are businesses facing?

John explained some of the major factors affecting business decisions in the sector today, “Quick alterations in the way customer service departments and contact centres work are placing new challenges in front of organisations. To maintain business as usual, major changes are having to be made to how people work. Amongst the issues that need to be dealt with are:

These operational challenges are daunting enough, but now there is a requirement for rapid deployment of home working solutions, which many existing technological solutions struggle to cope with.”

What are the biggest risks of a rapid move to homeworking?

John stated that, “Moving system access and agents away from a central site carries some significant risks. The introduction of chip & PIN payment technology moved payment fraud away from face-to-face and towards the ecommerce payments acceptance channel. As the minimum international data security standard for taking card payments (PCI DSS) has evolved to reduce ecomm’ fraud, so crime groups are adapting and the payment card industry is playing a continual game of catch up. Payment card details are valuable and easily monetised to fund organised crime, criminals are increasingly targeting businesses who use the MOTO (Mail Order, Telephone Order) payment acceptance channels. Contact centres have been an obvious target and now mass homeworking offers the unscrupulous a new opportunity.”

He continues, “It is not easy for organisations to fully replicate all the people, process and technology security measures that are in place in their contact centres, particularly as the transition to homeworking is happening so quickly. Many organisations have simply not had time to run a full risk assessment or discuss their significant changes in risk profile with their acquiring banks. Whatever your circumstances, working from home and handling payment card data puts your homeworkers at risk of being approached by organised crime.”

John added, “Data breaches and compromises of personal data can be hugely damaging both financially and reputationally, with prosecutions making headline news. A breach of the Data Protection Act will also attract action from the acquiring bank on behalf of the payment brands (Visa, Mastercard etc). This means ‘penalties’ of up to €18 per card exposed and potential notice to withdraw payment facilities until evidence is provided that minimum data security standards were being met, which means PCI DSS compliance being certified. If a breach is found, it is likely that your operation will be suspended, at least temporarily but potentially permanently. This will have obvious effects on the business and your teams. The reputational consequences on top of the obvious financial implications could seriously damage your organisation in the long term. Put simply, you may lose the ability to take money through your agents in the short term, risk reputational damage and risk an ICO fine. Then there would be the added costs of forensic investigation, increased transaction charges and for either achieving or maintaining PCI compliance.”

He continues, “From a liability point of view, your customers are protected. The financial burden is on the merchant. Certainly, from a data protection standpoint if the merchant had failed to create a defendable position, by documenting a risk assessment to support the security of personal data in the home working environment.”

What does your business need to do to safely move into the ‘new world’ of homeworking?

Enabling homeworking on a large scale is an opportunity for brands to improve operations, manage costs and increase flexibility in the workforce. It’s vital that your business approaches this opportunity in the right way.

John says “Take the chance to reduce and remove risks from your operations. You can do this by carefully choosing your technological and communications platforms, finding solutions which are easy to implement and enable compliance with PCI DSS (Payment Card Industry Data Security Standards). There are compliant and rapidly-deployable options available including Ciptex RACE, built on the Twilio platform – which it shares with some of the world’s most successful, reliable and secure apps including WhatsApp, Airbnb, and Uber.”

By implementing effective systems rapidly, you can protect not only customers, but your homeworkers and ultimately the business. The rethink, which has been forced upon us all by a global pandemic, might be responsible for organisational improvements and increased protection.

Do you need to safeguard your remote payments?

If you’d like to talk about a technology independent way to quickly implement safe payment processing for your business, the team at Contact Centre Panel can help. We’ve built a technology network by helping contact centres to safely and securely meet business and customer needs.

The consumer association, Which?, recently published their annual mobile-customer satisfaction survey. They asked 6135 of their members to rate their mobile network provider on a range of factors including customer service and value for money.

The results highlighted that the three biggest mobile operators were failing to offer their customers a satisfactory level of service, despite often costing more than smaller rivals. Vodafone, EE and O2 all finished in the bottom three, while virtual network operator Giffgaff topped the poll.

Vodafone performed the worst overall for customer service, only achieving a one-star rating for service, value for money and technical support. 20% of the Vodafone customers surveyed said that customer service was poor, including complaints and query handling.

EE, the UK’s largest mobile network, also ranked among the worst providers, with only 25% of EE customers saying they had received good or excellent service for technical support, and less than half said the same about ease of contact and customer service.

The smaller network providers came out on top of the 13 networks included in the survey. Giffgaff was rated the top network in the survey, with Utility Warehouse and Plusnet Mobile taking second and third place.

To read the full results of the Which? best and worst mobile networks survey click here

With this in mind, we have pulled together a list of the top ten most common reasons for customers to get upset with their mobile service provider:

1. Responding to enquires too slowly
2. Providing information to one call agent only to have to provide the same information to a different call agent from the same company at a later point
3. Providing information to an automated system and then having to repeat the same information when connected to a call agent
4. Receiving excessive volumes of communication
5. Receiving communication that you consider an invasion of privacy
6. Treating you with a non-tailored one size fits all approach
7. Inaccurately tailored communication i.e. being addressed incorrectly -“Mr” in a customer letter when you are female
8. Receiving information that is inaccurately targeted i.e. offers of a joint account when you are single
9. Receiving little or no communication
10. Over familiar tone in communication

If your customer service is falling short get in touch get in touch to find out how Contact Centre Panel can help.