Charles was a panelist on our recent Homeworking webinar and was the ideal person to speak to about the risks facing customer service and contact businesses as they embrace hybrid working models as we ease out of the pandemic.

As we are emerging from the pandemic. What has Covid meant to Health & Safety professionals?

Charles recalls the past year: “Covid was a surprise to most health & safety professionals. The pandemic fell upon us and many people thought that it would be a temporary situation, with working from home as a short-term fix but as the pandemic became a fact of working life, Health & Safety professionals have had to consider some more permanent solutions: can people realistically do their jobs at home? And from the professional standpoint, can they do it safely?”

He continues: “In over a year since the first lockdown, we’ve all become very familiar with the ways that home and hybrid working have been made possible. Most people think of the software solutions like Teams, Zoom and so on, but from a Health & Safety perspective we have to think much more widely.”

Charles concludes: “From a health & safety perspective, working in a home environment is very different to an office.”

So as people have got used to working from home and are now returning to more flexible, hybrid ways of working, what are the big Health & Safety considerations?

Charles explains: “The workplaces we are used to will have had Health & Safety Risk Assessments in place, which recognise hazards and provide ways to mitigate and control the risk. These are generally standardised and can be made available to managers and workers relatively easily and centrally. Workstations in offices, especially contact centre environments, tend to be similar and provide a good level of safety to team members. Allowances can be made for individuals on a case-by-case basis depending on their needs, which can be easily talked about during the working day.”

He states: “It’s completely different when people find themselves relocated to working from home at short notice. We have experienced enormous variations in the suitability of workspaces, equipment and challenges which we had very little time to prepare for or adapt to.”

Charles points out: “Under Health & Safety laws, employers have an obligation to ensure that their staff are kept safe. This applies to wherever the workers are fulfilling their roles.”

He continues: “Bad workplaces can result in serious problems for workers. Lighting, ergonomics and comfort, as well as the immediate physical safety of appliances or tools, are more difficult to control away from the office but are equally important wherever your team members are working and using them.”

How can customer service businesses deal with the new risks?

Charles states: “If you have team members who are spending any time working from home, your obligations as an employer cover both the office and the home workspace, or anywhere your staff regularly work. In practical terms, this means completing a risk assessment for hybrid and homeworkers in their homes. These risk assessments should be used to establish what our workers have in place, versus what they should expect.

He continues: “In short: If your workers’ spaces cannot be made safe, then those workers should not be working from home.”

Charles adds: “There are more detailed requirements too. PAT (Portable Appliance) Testing is a well-known control measure in the workplace. Equipment used elsewhere must be kept safe, one of the more easy-to-understand difficulties with basing people away from any centralised location.”

He concludes: “Businesses can use standardised tests to identify many risks in non-standard workplaces, though. A DSE Workstation Assessment can be completed by employees with minimal easy to understand,  training and support. An electronic assessment sent to the HR department or an independent Health & Safety consultancy can be used to collate a company-wide view of the main risks. This view can be analysed for the organisation as a whole and used to prioritise actions and mitigate risks, as well as demonstrating a commitment to looking after your teams.”

What about individual needs?

Charles starts: “A company’s obligations extend to all employees, not just the workforce as a whole. Where an individual team member has an issue, it’s up to the employer to decide what action should be taken.”

He explains: “Some people find homeworking difficult, so an extra effort should be made to make communication regular and as easy as possible for your teams. One good example of this which we’ve seen clients enjoying during the pandemic is a weekly online social lunch, where teams spend time together, from home, without a business agenda. Events like this can maintain a sense of togetherness during difficult times and might help hybrid workers long into the future.”

Charles says: “Stress is an adverse reaction to pressure. Pressure can improve performance in some people but too much pressure can have a seriously adverse effect on not only results, but the health of your people.”

He continues: “If we think of stress as water, everyone has a different-sized jug for their ability to deal with the flow of it. Employers bear a responsibility to alleviate and manage the pressure, to reduce or control the flow of that water. It’s important to be aware that pressure not only flows from work, but from everywhere else in an individual’s life too.”

Charles states: “Hybrid working is a good example of the flexibility now available to employers. Remember that the same flexibility can be used to offer employees a less stressful way of working, something that suits their own life and challenges more effectively.”

 He explains: “With less organic interaction between your teams, try to encourage more mentorship and informal training to allow your employees to develop their skills as well as their social interactions. Support knowledge-sharing, wherever possible, to replace those conversations which many of us used to have in the office every day. Mentoring can be a vastly underrated and highly effective method of informal training for the whole business.”

 Charles concludes: “It costs around £10,000 on average to replace an employee, so businesses should be aiming to retain their team members, not least for simple economic reasons.”

With many offices now opening, what should businesses be thinking about in terms of Health & Safety?

Charles states: “If there’s one thing to take away, it’s that a person’s workplace is everywhere they work. That means that employers have a duty of care to take account of working conditions in more than just the office. If you can’t do that for everyone, then you might have to enable some of your team members to come back permanently to the office.”

 He concludes: “Outside the legal point of view, forward-thinking employers will also be communicating with their team members much more frequently than they used to. There are more factors at play now than ever before, with the lines blurring between home and working lives, so as employers we need to be more mindful of the health of our teams. We can help to keep the business healthy by working hard to keep our people healthy too.”

If you’d like to discuss how your organisation can be more effective in implementing hybrid working successfully, our expert team can help, this includes providing guidance on how to work with your employees to maximise their health, happiness, and productivity.

Our ‘coffee table discussion’ panel explored the possibilities…

The rapid drive towards homeworking throughout 2020 has forced many contact centres to enable agents working from home, but some operations have felt forced into cutting corners, especially in relation to payment security, data compliance and working standards.

Contact Centre Panel’s series of webinars was launched to discuss these issues and to offer practical solutions for contact centres to provide an excellent level of service whilst safeguarding clients, callers and agents as well as their own business.

On 17 February 2021, Contact Centre Panel hosted a webinar focused on contact centre homeworking, asking our panel of experts the question ‘how can businesses create a genuinely safe, secure and flexible working environment for their teams so they can flourish and achieve wherever they work?’.  John Greenwood, Head of Technology & Payments, Contact Centre Panel, hosted the webinar and was joined by:

Simon Turner, PCI DSS Advisory Cloud Services & Contact Centres (QSA), BT Plc, providing input from a security and payments compliance prospective

Steve Sullivan, Head of Regulatory Compliance, Contact Centre Panel, a contact centre operations and Data Protection specialist and vice-chair of the UK Data & Marketing Association’s Contact Centre Council

Brent Agar, Director, SentryBay, an endpoint security expert with over 20 years’ experience

Felix Clarke, Cloudbased Partners, an experienced risk assessment specialist

What’s the situation in early 2021?

In our audience survey:

Along with the growth of home working, there has been a rise in telephone related fraud. Feedback from the Payment Card Schemes points to an overall increase in the MOTO (Mail Order Telephone Order) payments acceptance channel of up to 400% since March 2020. A clear indication that the criminal community is taking advantage of the changes that home working is forcing upon us.

Minimising these risks is not only good business, when it comes to keeping data secure, it’s a legal obligation covered by the Data Protection Act 2018 and the Health and Safety at Work Act 1974.

Looking at the big picture, Steve Sullivan began by highlighting that homeworking has brought some big positives to the sector:

Based on recent research most businesses have seen overall increased performance metrics including CSAT customer satisfaction results, plus performance and productivity improvements up the end of 2020.

Talking about the most important technical implications of the forced move to working from home, Brent Agar and Simon Turner outlined the challenges presented by the move from a physical security world, where offices and contact centres were built and managed to be secure places for people and data to be put to work, to a remote working situation where endpoint security has become the focus for compliance and protection.

What’s the risk exposure of teams moving into the home environment?

Felix Clarke described the situation now “We’re in this blitz spirit situation where people have been prepared to put up with it and wait and see… The Government has said that they will bring out new health & safety rules but they’re not ready yet… and the unions and lawyers who know they can’t get involved yet but are waiting.” However, this spirit of all being in this situation together cannot last forever. For now, employees working from home and their employers are finding ways to get the job done, but the honeymoon period is bound to end and organisations who are cutting corners will start to be exposed. This will have knock-on effects not only for team members but for end consumers, brands and contact centre business owners alike.

Were payments are concerned, there are risks associated with employees using their own computers or where company-owned computers are not fully protected. Traditional anti-virus software may not protect your business from some technical weaknesses. Options include buying and maintaining expensive computers for your full team or installing additional software to protect your business from attacks.

It’s critical to remember that your people are in scope too when it comes to compliance with standards. Technology is important of course, but your agents, whether internal or outsourced, are a critical part of the process. Iteratively developing our processes to take account of the behaviour of agents working away from the usual office environment is crucial.

What technological solutions are out there?

The risks inherent with homeworking can be partially mitigated by good endpoint security systems. The PCI Standards Council says that ‘by limiting exposure of payment data and your systems, you simplify scope and validation, reducing the chance of being a target for criminals.’

The reality is that in any situation where an agent is taking personal or payment data over the phone, there is a risk that data can be recorded manually or digitally, either in good faith or more worryingly criminally, using techniques such as keylogging or screen capture systems which can be installed without the user’s knowledge through spyware or similar attacks.

Brent introduced a piece of software by SentryBay which scrambles the information taken by keyloggers and disables screen capture. So regardless of whether the agent is acting dishonestly or has been the unwitting victim of a spyware attack, the software prevents sensitive data being captured and passed on. With millions of installations worldwide, this tried and tested solution is used by some of the largest banks and insurance companies to help them minimise their risks.

Software like this is not restricted to large financial institutions, however with most businesses who use contact centres processing personal data and payment data in some form, there is arguably a greater risk to smaller businesses. Implementing solutions such as technical endpoint protection is scalable and suitable for all sizes of business. It’s important to remember that the liability for compliance rests with the merchant, even if they use outsourced resources to process data or payments.

Have industry bodies changed their approach?

In the UK, the ICO (Information Commissioners Office) has published a lot of advice on working from home but has said little about the security of payment card data, pointing only to the Payment Card Industry Security Standards Council (PCI SSC), the body responsible for the security standards supporting the card payments ecosystem, where guidance on homeworking has been published and promoted.

The Data and Marketing Association (DMA) has not fundamentally changed its guidance for distributed workforces at this stage but encourages a systemic approach to data security and data protection. Being aware of your duty of care to front line staff to minimise their exposure is important.

Regulators will not maintain their recent light touch indefinitely and some large brands will doubtless fall foul of decisions they have made which do not mitigate risks sufficiently. By building systems that protect your staff from sensitive data, they will have to worry less about the lure of fraudulent activity and can focus more on the positive aspects of their jobs.

What about the claims industry?

As an employer, if you put your teams into a situation where they are at risk, the claims industry is likely to be preparing to catch up with you soon. Felix Clarke: “We’ve already seen articles with titles like ’17 ways you can hurt yourself working from home’ so if you inadvertently put employees into a situation where they could be hurt or discriminated against while working from home…claims will probably follow before too long.”

How can we help our teams to safely provide an excellent service to our customers?

To summarise the findings of our panel, there are a few key considerations that will help enormously to protect customers, agents and businesses:

To summarise the discussion perfectly, Steve Sullivan said “There are a lot of angry frustrated customers out there… so anything we can do to make our agents lives easier and let them focus on what they’re best at is for everybody’s benefit.”

You can hear all the insights given by our expert panel in full by watching the webinar:

Our next webinar is focused on ‘homeworking health & safety considerations and legal risks’, if you’d like to attend click here.

If you’re unsure how to assess your businesses risk exposure and how to equip it to handle any new risks posed by changeable working conditions, we can help by advising you on the risks you need to consider and the best way to mitigate them. We can also help you to learn how to work with your employees to maximise their health, happiness, and productivity. Get in touch.

When it comes to Data Adequacy, it’s been a slow process for the UK to gain full agreement from all the EU institutions and although we cannot be 100% sure, it’s now looking almost certain that the EU will deem the UK’s data protection regime ‘adequate’. This will then allow data transfers to continue between the UK and EU as it does at present. For further detail from ICO click here.

The lawyers’ lament

An ‘adequacy’ decision is one of the most important rulings needed to ensure uninterrupted trade in data and services for the UK with the EU, post-Brexit. Without this decision, thousands of individual contractual arrangements would have to be created to cover companies needing to transfer personal data between the UK and EU and vice versa. As we’ve explained before, aside from all the business process disruption that would be caused if the UK’s data protection regime was to be ruled inadequate, there would be a massive, direct legal cost – as covered in our previous article. The New Economics Forum estimated in a recent report that the legal work necessary without an adequacy decision would have cost British businesses between £1bn and £1.6bn. Listen carefully and you can hear the quiet sobbing of contract lawyers missing out on all that work. Tragic!

Transatlantic troubles

So, the adequacy decision is great news, but here’s something else to worry about.

The Privacy Shield was an arrangement designed to provide a mechanism for personal data to compliantly flow between companies in the US and the EU. However, the framework collapsed last summer after being ruled invalid by the European Court of Justice in the Schrems II case – for details click here

You might not directly deal in the personal data of individuals in the US, but it would be a rarity for an organisation not to use any US based technology or solutions that make use of data centres in the US. If so, then you need to address this challenge. Remember, the legal definitions of data processing are extremely broad, so having static data in storage in the US or even being visible on an ad hoc basis to a support engineer working on a case both count as ‘processing’.

There are many organisations that still haven’t managed to create alternative arrangements to transfer personal data across the Atlantic. The EU is working on a replacement for the Privacy Shield, but there is no guarantee this can be agreed any time soon. The data protection regulators, like the Information Commissioner’s Office in the UK, aren’t rushing to penalise companies still transferring data under pre-existing arrangements. But those legacy arrangements aren’t compliant and your business partners, clients and risk management colleagues are all likely to start looking for businesses to put a solution in place.

More work for you and the lawyers!

To create a solution you will probably be reliant on using Standard Contractual Clauses (SCCs) as the basis for transferring data legally. SCC’s are a type of agreed and boilerplated legal solution that provides an outline framework to ensure that both parties are handling data compliantly, onto which the specific business and process details are added. Unfortunately, the SCCs are in the process of being amended and updated – for further information click here.

There are draft new versions you can make use of, but you might find that your commercial law firm will soon need to change them again if the final version is different. So, more cost and more uncertainty, but good news for those work-deprived contract lawyers.

With homeworking becoming a daily reality for many workers who had traditionally been based from the office, the parameters by which businesses need to be managed and protected has changed.

From early on in the pandemic, most large organisations have made it possible for their staff to work from home, only visiting the office when necessary. Although this new flexible way of working has had many benefits, it has also led to a far wider variety of data security and personal health risks across the distributed workforce.

A recent BBC article highlighted the main cybersecurity issues, although none of which come as a big surprise. The most interesting facts and statistics were:

In addition to this, many organisations have successfully moved their workforces into the home, after adapting or redesigning their business processes and corporate systems to enable productive working, are up against a potential legislative ticking time bomb in relation to remote workplace safety.

Where there’s blame…

The UK claims industry has not had an easy time of it recently. With only a few exceptions, the door is now firmly shut for PPI claims and planned changes to the whiplash claims process will further curtail revenue opportunities.

What is next for the claims sector? Will it be class actions against companies by groups of employees who have been forced to work in unsuitable home environments?

While the home environment has, before 2020, been the homeowner’s domain, it is now the workplace. Any accidental damage caused by trailing cables, poorly placed computers, unsuitable seating might now fall on the employer to address. Then add to that the potential mental damage caused by having to balance work and family commitments within a confined space. The claims industry could have a field day!

What should your business be doing about it?

It is essential your business acts now and puts your company in a defendable position.

The failure of organisations to fully document a ‘risk assessment’ against not being able to meet your organisations obligations under the Data Protection Act 2018 and the Health and Safety at Work Act 1974, may not be an easy position to defend.

Both these pieces of legislation make very clear what an organisation’s responsibilities are for them to comply with the Act and keep both data and people safe.

Recording decision making actions, particularly at Board level, that are reasonable, proportionate and timely will help create the defendable position that insurers will look for when defending a potential claim.

Do not believe for one minute that the claims industry are not preparing themselves for this and do not think that your organisation is immune. Ensuring that your organisational risk documentation is complete and that words and actions are aligned to what could be considered a reasonable timeline, will be essential components of a defendable position.

Help your team to work with you

In short, homeworking is here to stay. Businesses have shifted and employees have become accustomed to the ‘new norm’. However, it’s not plain sailing yet as mistakes are being made and so far, most organisations are getting away with them. Don’t be the organisation in the first batch of ‘class actions’ because of lack of timely decision making and appropriate, proportionate and timely actions.

By working with your team to provide a safe and productive homeworking environment, with protected systems and structured support, your business can be a home-based success. Your team can grow and thrive, knowing what to do if problems occur and feeling supported in their work.

If you’re unsure how to assess the risks posed by homeworking and how to equip your business to deal with them, get in touch. We can advise you on what areas need to be considered and how to mitigate risk. We can also provide tips on how to work with your staff to maximise their health, happiness and productivity.

So, at the last minute and just in time for Christmas, the EU and UK agreed a post-transition Brexit trade deal. If you read our article published just a few days before Boris and Ursula settled their fish-based disputes, then you would hope that the deal included the vital EU ‘adequacy’ ruling on UK personal data protection rules. Unfortunately, this was not the case.

The parties have agreed a 4-to-6-month extension to the current arrangements, so personal data can continue to flow between the UK and the EU, but that looks like the final extension.

What does ‘Processing Personal Data’ really mean?

It is a broad definition. ‘Personal data’ is essentially anything that can be used to identify a real, living person and ‘Processing’ covers just about any activity that involves that data. It is not just for the use of communications e.g. making calls, sending emails and messaging on social channels, but analyse, segmentation and even simple data back-up on storage can count as processing.

Implications of a no adequacy ruling

If the EU does not give the UK an ‘adequacy ruling’ then, as stated by the government, the implications for data handling are that UK data being passed to Europe will be covered by existing laws, but if EU data is sent to the UK, it could contravene data privacy regulations. For pan-European operations, this will pose serious new risks.

If the UK’s rules are not considered adequate by the EU, then a raft of new contractual arrangements using Standard Contractual Clauses (SCCs) will be required. According to a report from the New Economics Foundation and UCL European Institute ‘The Cost of Inadequacy’, “the aggregate cost to UK firms would likely be between £1 billion and £1.6 billion”. Most of which would be the cost of commercial legal work to implement the necessary SCCs.

Are you feeling lucky?

So, should you start to worry about this now and give your lawyers a call?

You may well imagine that as the UK uses the EU-wide General Data Protection Regulation (GDPR) as the basis for its data protection rules and the 2018 Data Protection Act, then the European Commission would have no alternative than to grant the UK an ‘adequacy’ ruling. But that is not the case. A large number of data privacy professionals and data right groups argue that the UK does not reflect EU standards in its collection and processing of personal data, especially in the areas of national security and data sharing with other friendly states, so shouldn’t be granted ‘adequacy’. It is worth noting that the European Commission has so far ruled only a small number of countries’ personal data protection to be adequate (Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay).

Do not forget the Privacy Shield

In the meantime, if you have clients in the USA or use technology solutions with data centres in the US, there is something else you need to pay attention to. Since 2016 an arrangement agreed between the US government and the EU called the ‘Privacy Shield’ provided a framework for US and EU companies to compliantly transfer personal data across the Atlantic. Last summer the Privacy Shield collapsed when the European Court of Justice ruled it invalid over concerns that US corporations are subject to making personal data available to US Government agencies.
This may seem like old news, but many organisations are only just waking up to the implications of it. For most companies, there is a solution that will allow appropriate personal data transfers to continue, but unfortunately, once again that is likely to be reliant on Standard Contractual Clauses, lawyers and considerable expense.

What to do?

To manage your risks there are two key pieces of advice we can give to all businesses who use private data in any way, whether for outbound sales, customer service or sales order processing:

As a last consideration, check all your IT service providers. Do you really know where your call recordings and network data backups are stored? Identifying where your data is held is essential. If hosted in the cloud then find out where the data servers are located and if your technology provider is unable to provide this information, then your business could be at risk and alternatives should be considered.

If you are unsure how to assess your risks and responsibilities now the UK has left the EU, get in touch. We can advise you about the risks you need to consider and potential ways to mitigate them.

As we head towards the end of December 2020, it is looking increasingly likely that Britain will leave the EU without a deal, or with an “Australia type deal” as described in some parts of the press. Although GDPR has been passed into UK law in the Data Protection Act 2018, leaving the EU without a deal will have some significant implications for how the rules around data privacy will apply in the UK in 2021.

The UK Government’s current stance is that ‘The EU is conducting a data adequacy assessment of the UK. If the EU grants positive adequacy decisions by 1 January 2021, it would mean that personal data can flow freely from the EU/EEA to the UK, as it does now, without any action by organisations.’

However, if we leave without a deal and the EU hasn’t given us an “adequacy ruling” then, as stated by the government, the implications for data handling are that UK data being passed to Europe will be covered by existing laws, but if EU data is sent to the UK, it could contravene data privacy regulations. For pan-European operations, this might pose serious new risks.

What is the UK’s data privacy situation as we leave the EU?

If the UK’s rules aren’t considered adequate by the EU, then a raft of new contractual arrangements using Standard Contractual Clauses (SCCs) will be required. This is according to a report from the New Economics Foundation and UCL European Institute ‘The Cost of Inadequacy’. The report estimates “The aggregate cost to UK firms would likely be between £1 billion and £1.6 billion.”, most of which would be the cost of commercial legal work to implement the necessary SCCs.

Add to this, the arrangement between the US and EU called the ‘Privacy Shield’ which was struck down by the EU over concerns that US corporations are subject to making data available to US Government agencies, which the EU considers a data risk. This creates additional implications for data sharing wider than the EU and UK in the western hemisphere.

How can you prepare to be Data Privacy compliant?

The EU has released some draft Standard Contractual Clauses which data controllers and processors can use to remain compliant in 2021 and beyond. Already, several commercial law firms are preparing advice which data owners can use to assess their position with respect to data from the UK, EU and other countries including the US. This may come at a price, so here is a very summary of the impacts that we expect to see:

If you have UK data which you store and process in the UK, your operations are not likely to be affected in the short term, as long as they are already compliant.

If you have UK data which is stored or processed in the EU, you are also not likely to be significantly affected in the short term. The EU’s rules should be enough to protect you against the most likely risks.

If you have EU data which you store and/or process in the UK, you should review your risks and the new SSCs may be needed to assure your compliance. This will apply if you use many nearshore outsourced customer service or data processing teams.

If you are a global operation with data from different regions which is transferred across borders, your situation may be complex and will need looking at carefully.

What is best practise in tomorrow’s data handling world?

To manage your risks there are two key pieces of advice we can give to all businesses who use private data in any way, whether for outbound sales, customer service or sales order processing:

  1. Minimise the amount of data you store per contact. The less data you store, the less likely it is to get you in trouble. Avoid storing risky data such as payment details unless absolutely necessary to your business model.
  2. Minimise the places you hold data. If your data is stored and processed in only one location, the amount of regulation is minimised. Also, the lower number of transfers your data has to undergo, the lower the risk of breaches of privacy, or indeed of your business inadvertently falling foul of the regulations in one region or another.

As a last consideration, check all your IT service providers. Do you really know where your call recordings and network data backups are stored? Identifying where your data is held is essential. If hosted in the cloud then find out where the data servers are located and if your technology provider is unable to provide this information, then your business could be at risk and alternatives should be considered.

If you’re unsure how to assess your risks and prepare for your future once the UK leaves the EU, get in touch. We can advise you about the risks you need to consider and potential ways to mitigate them.

India’s regulations governing outsourcers have recently been relaxed, making it much easier for contact centre agents to work from home and lowering the barriers to entry for businesses wanting to offer outsourced services from India. What does this mean for businesses using outsourced labour to meet customer service demand?

The slimmed-down regulations, announced earlier this month, mean that Indian outsourcers do not now need to register their premises, whereas previously every office used by an outsourcer was required to go through a registration process. There is also no longer any need to give static IP addresses for all operatives and the previously required bank guarantee per seat has been abolished.

This means that outsources in India can now create wide VPNs enabling voice and data to be shared throughout the country and across other countries too.

On the positive side, the new regulations mean that Indian outsources will be able to react to the global shift towards homeworking and counter the move by businesses to move their operations back onshore, nearshore or inhouse, which could potentially have a devastating effect on India’s huge outsourcing sector.

What do you need to know?

Amazingly for any UK reader, the new regulations span just eight pages. You can read the entire document as published by the Ministry of Communications, Government of India, 5th November 2020, in a few minutes here.

Although there are requirements to make call data, secure system access logs and other details available on request, there is no obligation to submit these regularly or register them in advance. The emphasis in the new regulations is on correction rather than prevention of issues.

Is your business outsourcing to India?

These new regulations may make it easier for poorly managed or even unscrupulous operators to work more easily in India. However, it is important to consider that they also make working from home practical for an industry that needs to adapt to a rapid global shift in the way contact centres work.

If you are using Indian outsourced service providers, ensure that their own operating parameters reflect what you need. Seek assurances that data is handled securely and that their systems are safe. Many established outsourcers will already have implemented good data handling and security infrastructures. Make sure that your customer data is safeguarded.

In short, there is no need to stop using reputable outsourced contact centres or remote business process handling. There is, however, an increased pressure to obtain the assurance that your customers’ data is, and will continue to be, handled securely and safely.

Want to assess your potential risk?

If you are unsure how to assess your risks with offshoring parts of your operations, we can help? We have a team of experts who can advise and assess your operation and if required, a network of fully vetted reputable outsource contact centres and technology providers who can provide alternative options to ensure your operations are safe and secure.

Contact centres, call centres and telemarketing agencies are under pressure right now to get their houses in order when it comes to the security of sensitive customer data. Under normal circumstances, the telecoms and IT systems that enable agents to handle calls, emails, chats and social communications are protected within the secure corporate perimeter. Covid-19, however, has forced a rapid exodus from physical offices and agents are working remotely on devices, many of which are not suitable for combating cyber crime.

Lock down happened quickly and for insurance and banking contact centres, still heavily dependent on legacy systems, the remote working model is not generally supported. This has meant that all too many of their agents have been using laptops, tablets, home PCs and personal smartphones that have either no up-to-date security, or software that is not designed to protect customer data and therefore compromising organisations obligations under the DPA 2018 and the PCI DSS.

Cyber criminals have seized the opportunity

Research from numerous security organisations and government agencies confirms the rise in cyber crime activity since March and for companies holding digital data on customers, there will have been a higher than average likelihood of being hit.

Attacks have come in a variety of insidious ways from phishing and ransomware through to key logging, which is malware that tracks every key as it enters the system. Human fallibility is a factor in whether these attacks succeed, however, it is endpoint devices – laptops and smartphones for example – that put companies and their data most at risk. According to the 2019 Endpoint Security Report, 70 per cent of cyber breaches originate at the endpoint, and 42% of endpoints are unprotected at any given time. When it comes to smartphones, the risk is not so much malware, but data leakage, but regardless of how the breach happens, once a customer’s personal data is exposed, there are serious implications for those involved.

Working within the PCI DSS requirements

There is an additional pressure for organisations taking card payments, who are obliged to meet the Payment Card Industry Data Security Standard (PCI DSS). This protects customer credit card data over landlines, mobile phones, through Chat or use of apps. Contact and call centres use processes, technologies to manage this, ensuring that wherever agents process cardholder data, the transactions are monitored, logged and secured, however the supporting processes and technology are within their physical estates.

Not every organisation is fully meeting its PCI DSS obligations, and adherence has become more sporadic over the last few months, but the contact and call centre industry needs to take this seriously. Any chink in their armour could result in data being stolen within seconds. While compliance to the PCI DSS is a contractual obligation with the acquiring bank, payment card data is treated by Data Regulators as personal data. Which means that in the event of a data compromise organisations should expect  payment card scheme penalties (up to €18.00 per card exposed) as well as fines from the Information Commissioners Office (ICO) and the potential of unlimited ‘class actions’ from card holders. As payment card data is more attractive to criminals than other common forms of personal data, having card data present in unsecured systems represents a significant risk as data breaches are commonly reported, there is the potential for serious brand and reputation damage that no company would welcome. All the more reason, therefore, for agents working remotely to be equipped with technology that protects them and their customers, and this includes secure endpoints.

Put in place comprehensive protection of data

Remote working is likely to continue for the immediate future, so the smartphones, tablets, home PCs or laptops that are being used by agents to process and access customer data should have, at the very least, the same security posture as the managed devices that reside within the company perimeter. This includes making sure that SaaS applications are isolated or ‘containerised’ from any potentially compromised unmanaged machines or endpoints.

The vulnerability of endpoints means that solutions have to specifically protect data entry, particularly into remote access apps, web browsers and Microsoft Office applications. Browsers that access the corporate network should be locked down, including URL whitelisting, enforced certificate checking and enforced https.

Whilst this is a comprehensive approach, it is neither time-consuming or costly. A simple download and install from pre-configured software will provide an effective and rapid resolution to the threat. Call centre IT managers can select proven anti-key logging software that can protect every keystroke into any application and prevent screen-scraping malware from stealing customer credentials, payment and sensitive personal and credit card data and be sure that they are compliant with PCI.

Covid-19 is no longer an excuse for sub-standard service

As we begin to get back to a ‘new normal’, banks and insurance company customers will be looking for the highest standards from their financial services providers, regardless of whether the agent they speak to is working in a physical call centre environment, or at home. Covid-19 will no longer be an acceptable reason for not delivering a secure, compliant service. The contact centre industry must address areas of weakness and put in place the necessary procedures so that agents and customers can be confident that they, and their data, are fully protected.

Need help protecting your customer data?

If you would like to know more about the technologies that are available to help protect your customer data, the team at Contact Centre Panel can help. We have built a technology network to help businesses to source the ‘right fit’ providers, who can best meet their needs. This is a free of charge service and includes expert advice and guidance from our technology experts.

There are lots of definitions available about the meaning of governance, with some strong words such as authority, bureaucracy, command, control, direction, domination, dominion, empire, execution, executive, guidance and influence – but for me, it is simply having a structure to measure successes and opportunities with awareness and accountability.

You can download plenty of advice from the internet along with handbooks and frameworks, with good governance at the heart of any successful business. Effective governance is essential for a company or organisation to achieve its objectives and drive improvement, as well as maintain legal and ethical standing in the eyes of shareholders, regulators and the wider community.

So how has the current pandemic changed people’s view on governance?

From my past experience governance used to mean a monthly face-to-face meeting with some senior representatives from the business and its partners, where failings would be highlighted. Action plans were created, which usually resulted in a poor experience and a noneffective or productive use of time.

Thankfully over time, our approach to managing governance has improved, having experience of writing governance schedules for contracts and then ensuring full roll out I have clearly seen the benefits of getting it right.

Communication is key

Governance should be a two-way street with joint accountabilities and a clear path to working together to deliver the desired outcomes for the customer and both parties. It should be a method by which clear and transparent communication takes place, ensuring everyone has the same understanding and that the activity, once embedded, delivers gains and is a vehicle to celebrate success.

Particularly important right now is the content and frequency of governance sessions. Wouldn’t it be great for your partner to come to you with regular updates on customer sentiment and opportunities to add value? You may already have this in place but is the governance there to back up the statements and ensure effective decisions are being made based on proven insight? Have you got full transparency on operational performance during a time when a large proportion of staff are working from home?

Is there governance in place to track not only productivity but also data security, value add, innovation etc.? Insight provided through the correct governance framework will be invaluable right now and inform the future customer experience along with contact channels and product mix.

The ingredients of a good governance model

Having a strong governance model not only helps maintain a consistent and high level of service for your customers but also strengthens your partner relationships by allowing open dialogue to jointly work through areas of priority in an ever-changing environment.

If you are looking to create a governance model that fits your requirements right now, I would advise that you consider the following:

  1. Purpose – What do you want to achieve from the governance framework? Is it to review metrics, provide updates or review the relationship? Make sure you are clear from the start to manage expectations. You may want several independent governance frameworks – depending on the size and complexity of the relationship.
  2. Frequency – Depending on the purpose you may have a series of interactions. Most will be periodic but also plan for the unexpected and build in flex.
  3. Method – Long gone are the days when all governance meetings took place face-to-face thankfully! A daily SMS is sufficient for quick performance updates and an in-depth monthly Zoom or Teams meeting works well.
  4. Attendees – Aim to get a mixture of decision-makers and those accountable for the objectives, plus someone to take a note of the actions and assign owners.
  5. Escalation routes – Be clear on the strategy for when the outcome is not what was expected. All too often I see companies continue in a circle of raising an issue in a governance meeting and not really resolving it and then it appears the month after.

Good practice has shown that it is never too late to take a review of your existing governance framework and adjust to suit the current situation. Being flexible and transparent will ensure the best outcomes are delivered for all parties.

Try to focus your objectives around trust and integrity, innovation for successful services and delivering value. Times are changing and so should your approach to effective governance.

If you need any support with your own governance approach or some ideas for alternative frameworks to suit your needs, get in touch as we can help.

Although there are presently no reliable statistics, it is our understanding, from talking to our contact centre partner network and clients, that hundreds of thousands of contact centre based agents are now handling customer contacts from home.

Amidst all the uncertainty, distress and economic damage that Coronavirus is causing, there have been some positive outcomes. One of these is the impressive way in which the planning and implementation of large technology projects, like the mass shift to home working, has been achieved in only a few short weeks.

However, contact centres who have moved quickly to wholly distribute their workforce are still faced with massive operational challenges including erratic levels of demand, huge changes to channel usage and how to engage, motivate and support staff without a physical connection. But there are also key and often pressing regulatory and compliance questions to be understood and addressed.

How do you prioritise?

Having the responsibility for maintaining customer experience and engagement in the new ‘virtual’ contact centre is a particularly tough task. So, who has the time to ponder what the contact centre homeworking compliance issues are?

Increased risk exposure

In these times of rapid change, meeting compliance and regulatory needs must be underpinned by a focus on prioritisation. Many areas need to be reviewed and changes made, but while some can wait, others really cannot.

The simplest approach is to take a risk-based view. For most organisations, their biggest risk and exposure through contact centre homeworking is not regulatory, it is criminal.

Although many brands and customer management service providers have responded very quickly to Covid-19, criminals and fraudsters have been quicker still.

Fraud

Home-based workers, remote from their usual support and information sources, are potentially vulnerable to fraudsters. To add to this risk, many customers are being faced with new personal and financial challenges. Whilst, organisations are having to handle an increased level of demanding and emotional contacts. Criminals will exploit this emotionally charged time, by emulating stressed customers to gain leverage and access to sensitive information.

If data and payment management systems and processes are already insufficiently secure, there is the additional danger that employees may be persuaded or threatened to copy and share data. Data security flaws in a traditional contact centre environment will be just amplified in a home-based environment.

Data Protection and the Information Commissioner’s Office (ICO)

The ICO realises that it needs to avoid standing in the way of organisations’ Covid-19 coping strategies. The ICO has said “We understand that resources, whether they are finances or people, might be diverted away from usual compliance or information governance work. We won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period”.
Specifically, on homeworking the ICO says “data protection is not a barrier to increased and different types of homeworking”. The following excerpt from their own information states:

More of our staff will be homeworking during the pandemic. What kind of security measures should my organisation have in place for homeworking during this period?

Data protection is not a barrier to increased and different types of homeworking. During the pandemic, staff may work from home more frequently than usual and they can use their own device or communications equipment. Data protection law doesn’t prevent that, but you’ll need to consider the same kinds of security measures for homeworking that you’d use in normal circumstances.

This is an empathetic stance but data protection can create a business process hurdle that organisations need to clear. The ICO’s ‘softly-softly’ approach to enforcement suggests that homeworking can be implemented now without an onerous review of data protection rules and procedures, but that work will need to be done as soon as you can. Create a diary note
Anecdotally, some contact centres have reported increased contact and conversion rates on their proactive outbound calling. More generally a largely captive nation of consumers is encouraging some businesses in specific sectors to accelerate their marketing efforts. If these opportunities require either the acquisition of 3rd party prospect data or new/extended proactive contact methods and channels (phone, email, social), then organisations need to tread warily. The use of inappropriate or non-compliant data sources and misuse of communication channels, against Ofcom or PECR rules, can leave organisations wide open to fines, reputational damage and the closure of revenue streams.

Payments

Contact Centre Panel’s John Greenwood has already highlighted the risks of not ensuring that card payments taken by homeworking staff are PCI-DSS compliant, as detailed in our recent article. Remember, the ICO explicitly states that in the event of a data breach then if an organisation has failed to follow the PCI-DSS rules, then the ICO will hold that against them.

The ICO states; “Although compliance with the PCI-DSS is not necessarily equivalent to compliance with the GDPR’s security principle, if you process card data and suffer a personal data breach, the ICO will consider the extent to which you have put in place measures that PCI-DSS required particularly if the breach related to a lack of particular control or process mandated by the standard.”

Insurance

The insurance industry, in part due to government encouragement, has responded flexibly and helpfully to business change in the face of Covid-19. Most insurers have extended liability cover to include staff now working from home, as well as continuing to cover IT equipment (all those newly purchased laptops!) now located in employees’ homes rather than in offices.

However, it is best to check with your business broker or insurer to ensure you are covered.

Health and Safety

The Health & Safety Executive requires employers to conduct workstation assessments of staff using Display Screen Equipment (DSE), whether staff are office or home-based. The HSE says that there is not a requirement if staff are working from home ‘temporarily’, but as time goes on some contact centre home working is likely to feel semi-permanent.

Beyond DSE, the Health & Safety Executive states that employers must consider:

• How will you keep in touch with them?
• What work activity will they be doing (and for how long)?
• Can it be done safely?
• Do you need to put control measures in place to protect them?

This applies whether the home working arrangement is permanent or just for the short-term. The best contact centre employers are mindful of this, but there are financial and health risks to both employees and employers if these measures are not in place.

Wellbeing

Although it is not really hit the regulatory radar, yet, many contact centres have been at the forefront of recent initiatives to recognise the importance of maintaining good mental health in the workforce. At a time of societal change and increased awareness of anxiety and stress, the importance of the role employers play in helping staff remain focused and effective has never been greater. Ensuring the continued emotional support of contact centre staff, at all levels, needs to be maintained in parallel with working out how best to maintain motivation, morale and operational performance.

Contact Centre Panel Network members are subject to compliance reviews. To join and then remain a partner they need to have the right level of expertise to navigate the rules and regulations needed to ensure that marketing and communication efforts remain compliant.

How can CCP help?

We have a team of specialists able to advise, clients and network members, on data compliance, the latest industry regulations, and best practice. Our services also extend to marketing data sourcing, contact centre training and engagement, wellbeing and secure payment processing.