News broke last week of the largest data security breach known to date. According to Internet security firm, Hold Security, a Russian crime ring has stolen approximately 1.2 billion user name and password combinations and more than 500 million email addresses.
With data protection firmly back in the spotlight, it is a good time for all companies involved in the collection and processing of customer data, including contact centers, to review their obligations and ensure they are complying with the law as it applies to them.
In recent years governments across the world have become increasingly aware of the importance of data security. Many countries within Asia, the Middle East and Latin America are adopting data protection laws, where none existed previously. Even in regions with mature data protection regimes, such as Europe and the US, we are seeing changes in response to new technologies, off-shoring and the growth of cross-border trade.
In many jurisdictions a failure to comply with data protection rules brings with it the risk of both civil and criminal penalties, not to mention reputational damage. As such, this is not an issue that those involved in the contact center industry can take lightly.
What is Personal Data?
Given the varied regimes, it is impossible to give a definitive definition of personal data that will apply to all contact centers. It will depend on the regulations in force in the place where the customer resides and, potentially, where the information is gathered or processed. In the US alone, taking into account both federal and state laws, there are potentially hundreds of data protection laws and regulations to be considered.
Often the definition of personal data is very wide. Therefore, most contact center activities will usually involve the collection or processing of some kind of personal data.
In the UK, for example, personal data is defined as data relating to living individuals who can be identified a) from the data, or b) from the data and other information that is in the possession of, or is likely to come into the possession of, the data controller. Therefore, under the UK regime, a call recording that mentions a customer’s name will likely contain personal data and should be dealt with in accordance with the UK Data Protection Act 1998.
The rules relating to customer data may also vary depending on the nature of that data. It is therefore important to check the kinds of data the contact center will be gathering and make sure each kind of data is dealt with in accordance with the applicable rules.
Companies collecting customer data must ensure they get proper legal advice on the data protection rules that apply to them.
For example, in the UK, stricter rules apply to the treatment of “sensitive personal data”. Sensitive personal data includes information relating to a person’s race, health or criminal record. By way of illustration, consider the example of an insurance company that sells both pet and medical insurance via a contact center. For the pet insurance, the contact center may not be gathering sensitive personal data. However, in the case of the medical insurance, which would involve gathering information about the customers’ health, the contact center would almost certainly be collecting sensitive personal data.
What obligations Arise in Relation to Personal Data?
How data should be treated will depend on the applicable regulations. However, by way of example, under the UK regime, the obligations that arise include:
a)The requirement to advise customers if their details are to be stored, by whom and for what purpose. In relation to this obligation, the phrase: “Your call may be recorded for training or monitoring purposes” is commonly played via an automated system at the start of incoming calls. However, it is important for contact centers making outbound calls to give the same notification. Call handlers should be prompted to give this notification at the outset of all recorded calls and should be trained on its regulatory importance, so they are not inclined to skip it. Further, if the contact centre is taking details on behalf of another company, the customer must be advised of the name of that company.
b) The requirement to use the data only for the purposes for which it was collected. So, if a customer gives information in response to a “survey” carried out by company A, those details cannot be shared with company B for marketing purposes (even if the companies fall within the same Group), unless the customer has agreed to data about them being used and shared.
c) Personal data should only be kept long enough to fulfill the purpose for which it is held. Often there will be several reasons to record calls. However, if recordings are only intended to support quality initiatives that involve weekly training sessions, the storage of call recordings for more than a year could be considered unreasonable. Unless there is another reason to justify keeping the recordings for such a long period.
These are simply examples of the kind of obligations that arise under the UK regime. Similar obligations may arise under other regimes, and it is always important to check the specific requirements of that apply to the contact center in question.
Keeping Data Safe and Secure.
Nearly all regimes will have a requirement to take steps to protect data collected from customers against loss or unauthorized use. In the UK, data controllers must take appropriate technical and organizational measures against unauthorized or unlawful processing, and against accidental loss or destruction of, or damage to, personal data. For the purposes of the UK legislation, where a company outsources its contact center activities, it is the company that remains the data controller. It is therefore incumbent on the company, as data controller, to ensure the contact center takes appropriate measures to protect the security of customer data. It is good practice to include provisions within the contract between the company and the contact center setting out the contact center’s obligations to protect customer data, and to inform the company of any breach or potential breach of such provisions.
Most contact center activities will usually involve the collection or processing of some kind of personal data.
Similar rules apply in the US. In general, US businesses will be required to take reasonable technical, physical and organizational measures to protect the security of sensitive personal information. In addition, the majority of US states require companies to notify state residents of a security breach involving residents’ names plus a sensitive data element (typically, social security number, other government ID number, or credit card or account number) in combination with a security code or password that would permit access to a financial account. So, where banking customers are asked to provide password details and account numbers at the start of a call, the loss of the call recording could, potentially, trigger such notification provisions and attract significant press attention. Steps must therefore be taken to ensure such call recordings are properly protected.
What Happens When Things Do Go Wrong?
Civil penalties are generally significant. The UK Information Commissioner can impose fines of up to GBP 500,000 ($839,000 USD) for serious breaches of the Act. In addition to civil penalties, in the US, some privacy laws (including call recording laws) may be enforced through class action lawsuits for significant statutory damages and legal fees. Some jurisdictions also include the criminal penalties within their data protection regimes. Also, as we have seen with the case of the Russian hackers, data security breaches can attract widespread media attention.
Data protection is not, therefore, an issue that should be taken lightly. This article is merely intended to highlight the issue. However, given the complexity of the various regulations, a high level understanding of the issue is not enough. Companies collecting customer data (whether via in-house or outsourced contact centers) must ensure they get proper legal advice on the data protection rules that apply to them. With the right advice, companies can ensure they put in place the proper measures to ensure they do not fall foul of the often strict data protection laws that exist throughout the world.
This article was originally appeared on NSAM sister publication Customer Experience Report