It’s been a little over a year since GDPR was introduced. Now, many businesses live with far stricter rules around customer data – and far larger penalties by failing to secure it.
Along with regulations like PCI DSS, call centers have a lot to keep in mind. But how can your phone systems help you stay on the right side of the rules?
Regulatory compliance is complicated – but you can make it simple.
Whatever regulations you’re dealing with, data compliance is always about giving data as little exposure as possible. You can turn every tool you’ve got to the purpose of reducing exposure – even your phone systems.
We’re going to get into that. At the same time, we’re going to look at what happens when your communication solutions don’t follow the rules.
#1 Phones systems tip – access caller information in real-time
Let’s start by thinking about ‘privacy by design’.
One major problem for businesses is that retrieving data often means duplicating it as well. Initially, customer data is stored in a secure database. But then, an agent needs to access the data to inform their next action.
That brings sensitive data from one location to another, potentially less secure location, and increases its exposure.
Real-time access is the best way to avoid the problem.
One of our core principles is that data should only be retrieved in real-time, when needed, and then automatically discarded.
Just think about that scene in most spy thrillers: the hero memorises the message, then burns the note.
You could get a substantial fine
Here are my two cents on this: fines = bad.
In 2018, in the UK, Equifax was fined £500,000 for failing to protect the information of 15 million people. (They talked their way out of paying for the US breach of 145 million users’ accounts.)
And if you think £500,000 is pretty lenient, bear this in mind; they were fined under the old Data Protection Act. The half-million mark was the maximum at the time.
A great big GDPR fine could have run to either €20 million or 4% of annual turnover – whichever was higher. (Their 2018 turnover was almost $3.5 billion…)
‘...being compliant doesn’t mean that you are secure, but being found not compliant is a pretty strong signal that you are vulnerable’
#2 Phone systems tip – take control of call recordings
You’ve probably heard the story about NASA’s huge spend on pens for astronauts? It’s the one where NASA puts many years and dollars into a zero-gravity pen, and Russia gives its cosmonauts pencils.
The story is totally made up of course
But the lesson is good – use the simplest tool you can to fix your problem.
So here’s your problem. There are all kinds of reasons you record customer calls. But you’d rather not record things like credit card details on the call. You don’t want to increase the exposure of those details.
Do you need some kind of hi-tech voice analytics tools that recognise credit card numbers and deletes them? Do you need to employ a team of censors to listen to every call and remove the sensitive data?
Or do you just need to give agents a pause button?
That’s the solution we’d back. Let agents control call recording with phone systems that let them pause to take credit card details. That’s your ‘cosmonaut pencil’ solution.
You could do lasting damage to your brand
The days of sweeping data breaches under the rug are long gone. There’s a great deal more media interest and about as much public concern over the state of data security.
The Equifax example is as good as any. YouGov compiles a ‘buzz score’ that measures positive or negative public opinions about thousands of brands. Prior to the breach, Equifax’s score was zero – basically neutral, as the score runs from -100 to +100.
After the breach, they fell to -33. In fact, the damage went so deep that Experian – a competitor in the same industry – also dropped 8 points.
And ‘brand damage’ isn’t just marketing-speak. It’s very likely that a serious breach will lose you current customers and make it harder to find new ones. 65% of consumers say it’s highly unlikely or unthinkable that they would ever buy from a business that had had financial data stolen.
#3 Phone systems tip – VoIP Encryption
This is pretty core stuff – make sure your VoIP phone systems are secured with encryption.
When voice data moves over the internet, it’s converted into ‘packets’ of information.
Customers share all kinds of sensitive information over the phone, much of which is valuable to thieves.
Without encryption, sending those packets is like writing customers’ personal and financial details on a lot of postcards and putting them in the mail. You have no idea who will see them.
With encryption, sending those packets is like delivering customers’ details via armoured truck.
Make sure that SRTP and SIP encryption come as standard with your phone systems and call center software.
You provider could raise the cost of card payments
When it comes to PCI DSS non-compliance or actual data breaches, there are too many costs to mention. There are the fines, the loss of customers, the investigations, the audits… It adds up to an average cost of £3.86 million.
But even worse than the one-off costs is the long-term increase of per-transaction charges. It seems tiny at first. But then you think about the incremental effect of making less profit on every single card transaction.
#4 Phone systems tip – tag calls for assessment
Hopefully, it’s clear that you need a lot of oversight to make compliance work in an outbound or inbound call center. You can take control of call recording in your phone systems but mistakes may still happen.
babelforce put a lot of thought into the role senior oversight plays in this part of call monitoring. For us, the solution was call tagging.
In practice that means you can:
- allow agents to tag recordings that could present a risk
- automatically tag calls associated with taking payments
- automatically forward some recordings to a call center manager
- automatically delete recordings which haven’t been reviewed if they may pose a risk
That puts a lot of defensive measures between you and the risk of vulnerable data. More importantly, it puts a lot of defensive measures between your phone systems and data thieves.
Phone systems can be one of the most vulnerable parts of your business. Then again, securing your phone systems is some of the lowest hanging fruit for becoming compliant.
Want to learn more about compliance for calls and recordings? You can, right here.