By Shane Lewis, Information Security Manager, Semafone.
The EU GDPR has been in play for almost a year now and while the scare stories have diminished and the panic has subsided, it’s important that organisations do not become complacent. The principles of the regulation should be fundamental for companies and government bodies handling customer data, but not everyone is following them yet.
It’s a marathon, not a sprint
A month after the EU GDPR came into force, security company TrustArc’s research revealed that only 21% of UK organisations believed themselves to be compliant. In addition, the ICO reported that complaints about potential data breaches have more than doubled since May last year. Amazon, Apple, Netflix and Spotify have all faced questions over their compliance with the GDPR, while Google has been fined £44m for breaching its regulations, so there is still work to be done.
Adhering to these regulations is really not a one-off – the GDPR is here to stay and demands an on-going compliance process. Ignoring the GDPR or getting complacent about its implementations can be very dangerous. Don’t be caught on your heels, waiting for the next catastrophe to remind your organisation of its relevance and severity.
Top Tips to GDPR compliance
Contact centres are on the front line when it comes to customer data. They receive large amounts of personal information through a variety of communication channels, from telephone calls, social media and online chat, all of which needs to be protected in accordance with the GDPR. Additionally, factors such as call recording and payment handling need to be taken into account. To help contact centres make sure that they are on the right side of the regulation, we’ve compiled a twelve-step checklist.
- Know what you’ve got
Being able to identify exactly where all your organisation’s customer data is held is crucial. If you don’t already know this, it’s time to find out. Mapping out all your systems will enable you to keep track of your data’s journey from the moment it first enters your organisation. If a customer requests to be removed from your database – using their ‘right to be forgotten’ – you need to be able to do it completely, without undue delay and in any case within a month. Knowing where your data is at all times will make this process quicker and easier.
- For every customer record you hold, ask yourself why?
When you hold lots of data, you are a target for hackers. Cyber criminals are increasingly using AI and machine learning to create automated systems to deliver phishing, spear phishing and ransomware attacks that can be fine-tuned to defeat security barriers as they spread. One way to manage this threat is for your organisation to hold on to as little personal customer data as possible. But, for the data you do keep hold of, make sure you can justify why you’ve kept it (remember, ‘for marketing purposes’ will no longer fly).
- If you can’t remove it, encrypt it
If you need to keep customer data, be sure to strip away anything that can actively link it to an individual such as the person’s name, address and email address. Use tokenisation as much as possible. This is a form of encryption that substitutes sensitive data with “tokens”, which are data elements that have no meaning. You must also ensure that you hold personal information such as email addresses and names separately from all other data. This allows you to be sure that complete records only exist when they are actively needed – the rest of the time the token will be of little use to a hacker. While encryption adds a layer of protection to your customer data, it isn’t an absolute. If you can decode it, so can someone else.
- Data handling – less is more
Unburden your staff by applying the principle of ‘Least Privilege’, so they don’t find themselves exposed to any data that they don’t absolutely need to see. Too often, in a contact centre, agents are given access to a customer’s entire record in the CRM database when all they need is a name. By limiting this, you can significantly decrease your risk of insider threats.
- Self–authentication sends a strong signal to phone fraudsters
Implement solutions such as dual-tone multi-frequency (DTMF) masking – which disguises keypad tones – so that a customer can enter their own details, and remain in communication with the call centre agent, who only sees the confirmation of a successful or unsuccessful transaction. This way both parties are protected further from the threat of fraud.
- Train your team
Carry out regular training in basic security procedures such as changing passwords and make sure that employees know what to look out for with phishing or spear phishing attacks – which are becoming increasingly common and sophisticated. Measures such as double- checking email addresses and investigating any unexpected requests for personal information can stave off many such attacks. Employees are frequently targeted and become a business’s weakest link when it comes to data protection, so make sure your procedures are robust and up-to-date.
- Call recordings – take extra care
The GDPR requires contact centres to justify why customer phone calls need to be recorded. Legitimate reasons include legal or contractual requirements, public interest, or the interest of one of the parties. Record and review your contact centre’s processes, methods and justifications for any capture of sensitive information, along with the length of time you hold onto that data. A contact centre can use a data security solution, like DTMF masking technology, that allows customers to type sensitive numerical details directly into their telephone keypad, thus avoiding sensitive data being recorded on the call.
- Other regulations matter too
Although many contact centres will already be compliant with the Payment Card Industry Data Security Standard (PCI DSS), there is more that can be done to take complete control of your contact centre’s information security governance. Structure a framework for your entire organisation that is audited to the ISO 27001:2013 standard. But remember, security and privacy are not necessarily the same thing: just because you are protecting data from fraudsters does not automatically mean that you are also upholding the privacy of the owner.
Securing and encrypting the customer data you hold is only the first step. If you are working with partners for some aspects of data processing, it’s up to you to make sure that their security measures are as robust as yours. This is still essential if they are based overseas, as transfer of data outside the EU is subject to specific conditions and contracts within GDPR clauses. The GDPR will deem you to be responsible if one of your data processors allows a data breach to take place. Article 28 sets out several specific clauses that must be in place with data processor agreements, so check that data processing partners and suppliers are adhering to the standards of the GDPR or its other overseas jurisdictional obligation equivalent and draw up contractual agreements to clarify expectations on all data processing agreements.
- Keep records as though the customer will read them
Under the GDPR, customers can invoke a Subject Access Request, which can grant them access to the comments logged during a call. This no longer incurs a charge for the customer so the number of requests could rise. Everyone knows how tempting it can be to vent one’s feelings in writing on the CRM system after a difficult call but don’t get caught out. Train your team to keep it professional, or your company’s reputation could be in serious trouble if a customer finds any disparaging comments about themselves.
- Don’t forget to protect the team
Remember that your employees are also protected by the GDPR. If you need to hand over any call information to a customer, remove any details that might identify the call centre agent first. While this could be time-consuming and expensive, re-vamping your systems over time will make this process easier. In the meantime, don’t let your eagerness to protect your customers’ data make you violate the privacy of your team.
- Privacy by design
Last, but not least, when developing new systems and products, ensure that teams across your organisation collaborate to apply the principle of ‘privacy by design’ at the earliest opportunity. It is easier and far more cost effective to build in privacy and security at the concept stages rather than bolting this on at the end of the development or production life cycle.
For the greater benefit of all
Compliance with its rules might seem restricting, but the GDPR has ultimately had a positive influence on the business world. It has instilled a greater sense of duty among organisations to be responsible custodians of sensitive data, while also having a beneficial impact on CRM. These regulations don’t exist in order to lobby companies with massive fines; they exist for our collective digital security and privacy – something to bear in mind when you’re running through our GDPR checklist!
If you’d like to read the full report it is available for download here.
Shane Lewis, Information Security Manager
Shane has over 15 years’ experience in Information Technology and Information Security and is a Certified Information Security Manager (CISM), Certified in Risk and Information Systems Control (CRISC) and an ISO27001 Lead Implementer (CIS LI). Shane is responsible for securing Semafone’s information assets, maintaining and retaining the company’s PA-DSS certification, PCI DSS level 1 service provider accreditation and ISO27001. Before joining Semafone, Shane was based at international retailer Fat Face, where he managed the implementation of PCI DSS. Prior to this, he worked in financial services with a variety of brands including Barclays, Co-op, GE Money, HSBC and Lloyds Banking Group.