GDPR Compliance – Take a lead from PCI DSS in your contact centre
Rob Crutchington from Encoded explains how applying the same principles as PCI DSS can help to meet the challenges of the new data protection legislation.
With the General Data Protection Regulation (GDPR) coming into force on 25th May 2018, many organisations are starting to consider what it will mean for them. Overriding national data protection laws and including new and more detailed protection legislation for personal data, GDPR will necessitate a review of data policies and practices that companies already have in place to ensure that they comply with how data is kept throughout the organisation.
GDPR is more than just payment card data
Organisations that fail to comply with the legislation face punitive fines of up to 4% of their annual global turnover or €20m, whichever is greater, not to mention reputational damage. So what does this mean for contact centres?
The good news – PCI DSS principles apply
Contact centres have always been focused on security of card payments, ensuring that customer card data is stored, transmitted or processed securely. Now the process needs to apply to all personal customer data – or Personally Identifiable Information (PII).
The good news is that if your contact centre is already Data Protection Act (DPA) compliant then typically you will be GDPA compliant. In addition, the Payment Card Industry Data Security Standard (PCI DSS) is intended to protect cardholder data, which means that by complying with PCI DSS, you can be sure you meet legislation and security requirements.
Plus, if you are already working with a PC1 DSS Level 1 supplier, which is also DPA compliant, this further ensures you meet the regulations for your payment data.
De-scoping makes it easier to manage
Therefore, PCI DSS principles are a good place to start when thinking about personal data. Companies can apply a process of ‘de-scoping’ to reduce the number of requirements (tick-boxes) for PCI compliance. This same method can be applied to personal information, where business processes can be ‘de-scoped’ from sensitive personal data.
Businesses attempt to reduce their PCI DSS scope by limiting the number of places where card data is present in a variety of ways including; removing redundant and obsolete storage facilities and applications, using technology solutions like tokenisation (unique identifiers that retain all the essential information about the data securely) and outsourcing elements of card handling, storage and processing to PCI DSS compliant third parties.
Choose your partners carefully
Improve processes and agent training
One of the biggest risks in any organisation relating to data is staff – not necessarily from fraudsters, but laxity of people in taking proper care of data. The relatively low cost of training and education of the risks involved can go a long way in making staff vigilant to perils such as phishing emails and fraudulent representation. Phishing emails can mean that innocently staff allow hackers to enter the system, and is a bigger risk than a rogue staff member writing the odd card number down.
A Trusted Partner takes away the headache
Like PCI DSS compliance, the responsibility for GDPR cannot be entirely removed
from the contact centre, however, the effort required can be dramatically reduced by following a similar approach to that of de-scoping.
Remember that the buck stops with the merchant to ensure PCI DSS compliance and the same will be true for GDPR. Responsibility cannot simply be handed over to a third party – an organisation must also identify itself how data is to be managed. However, taking a lead from PCI DSS and working with the right people can go a long way to sleep filled nights and compliant days.