Compliance violations draw big penalties today. We’ve all seen the headlines. When 134 million credit card details were exposed in 2015 at Heartland Payment Systems—a breach of the Payment Card Industry Data Security Standard (PCI-DSS)—the company not only paid an estimated $145 million in compensation, but it also was prevented from doing what the company was founded to do: successfully process payments.
Heartland’s woes are just one example of what can happen in today’s privacy-focused environment. Indeed, protecting a customer’s personal information is serious business—and the rules and regulations around it are growing stricter.
The European Union’s General Data Protection Regulation (GDPR) imposes new data protection requirements and practices for any organization—anywhere in the world—that processes personally identifiable information about European Union (EU) residents. Fines for non-compliance can be as much as $23 million or four percent of global revenue. Similar measures were enacted recently in the U.S. by the state of California. The California Consumer Privacy Act (CCPA) goes into effect January 1, 2020.
In the healthcare industry, the Health Insurance Portability and Accountability Act (HIPAA) was designed to protect a medical patient’s private information. Data breaches or misuse of such information can lead to criminal convictions and jail sentences for the responsible individual and fines of up to $50,000 per violation or record affected.
Here’s a wrap-up of the new technologies and best practices that can help contact center managers rest easy in today’s increasingly complex compliance environment.
Cross-Channel Recording and Data Management
Tools like call recording can go a long way in providing verifiable proof that agents are complying with rules and regulations that govern interactions with customers. Under the Federal Trade Commission’s Telemarketing Sales Rule (TSR), for example, sellers and telemarketers must provide the customer with required information about the quantity and costs of the goods, any other conditions or limitations that apply, and the applicable refund policy. Only then can they ask for consent to complete the purchase. Recording agent/customer conversations is essential to meet this requirement.
The challenge comes in recording conversations across all the newer channels—instant messaging, web chat, text or video—in which customers want to communicate today. These new channels add complexity to compliance requirements and contribute to the exponential increase in the amount of data that organizations must track, access, silo, store, produce for auditors and regulators, and then destroy. The good news is that tools are available today not only to record customer calls across channels, but also to provide a robust, workable means of managing all the data those conversations generate and to retrieve transcripts of conversations across the channels.
It’s a good thing because GDPR requires organizations to be able to prove compliance—whether investigating a data breach, other non-compliance or not—auditors will want to see evidence of the measures in place to underpin an organized and systematic approach to managing data and complying with the regulations. It would have been impossible to meet this request under traditional ways of doing business a few years ago, when organizations were characterized by siloed systems, no integration and no common platform for managing recorded data.
In addition, data privacy laws and regulations usually place restrictions on the storage of customer data—how it is stored, where and for how long. These regulations are varied and often complex, but they all share the practical requirement to remove the data after certain time limits, or when there ceases to be a legitimate need to store the data. This requires the capability to tag the data with the relevant retention period or expiration date to facilitate its timely removal. The new tools provide that feature, automatically classifying and tagging—even the unstructured data such as voice recordings—to avoid human error and guarantee accuracy. The tools also make the data easily searchable by date, agent name, topic name or keyword.
Those same data privacy laws also address the need to inform customers if their personal data has been compromised—perhaps by a hack. Among its many requirements, the GDPR requires organizations to inform all customers whose data has been exposed or is at risk because of a data breach. This must be done within 72 hours of the breach being detected. This is extremely difficult to do, even if there are good records of what data has been affected. New encryption tools render affected call recording and associated data unusable by the data hackers and would therefore mitigate the requirement to inform the affected data subjects—saving an enormous amount of work as well as the reputational damage that would result.
That’s a good thing, too. There have been a number of high-profile data breaches involving the theft of personal data from businesses around the world. This is having a profound impact on consumer trust and confidence.
Proactive Compliance—The Best New “Best Practice”
Today there are technology tools that support a more proactive approach to compliance—not simply offering proof to auditors that certain steps were taken, but also helping agents avoid non-compliant behavior.
For example, PCI-DSS regulations govern the ways in which data captured during credit card payment transactions must be stored and managed, including a requirement not to record sensitive data such as the Card Verification Code (CVC). When a contact center agent is processing a credit card payment, the tools prevent capture of sensitive data by using APIs or desktop-based triggers to pause call recording automatically while payment card details are being taken and processed.
Knowledge management (KM) tools have always demonstrated their value to the contact center, helping agents find answers to customer questions and providing guidance during customer conversations. In today’s compliance environment, KM tools are delivering even greater benefits, helping ensure employees comply with internal processing standards and externally applied regulations. Scripting and dynamic prompts can keep them on track.
For example, when conducting a sales conversation governed by the TSR, real-time speech analytics and desktop processing tools can monitor and assess the content, direction and intent of the interaction—automatically feeding the agent with relevant advice and knowledge articles to help them bring the conversation to a successful conclusion.
The positive outcomes of investing in compliance solutions are measured as much in terms of the costs and consequences that they help avoid, as they are for improving efficiency, increasing profitability or market share or attracting new business. Still, it’s good to keep in mind that there is no such thing as a solution that makes a company compliant with all the standards, regulations and laws that govern the way it protects customer privacy.
Compliance is as much about the attitude and diligence of the organization itself as it is about the solutions the organization employs. The contact centers I work with are successful because they accept this simple truth for what it is and view the solutions that help them remain compliant as a strategic investment and resource to be exploited to positive effect, rather than a cost they must reluctantly bear. With the right attitude and the right tools, it is possible for companies to meet the increasing pace and scope of compliance demands worldwide.