By Mick Beadle, Head of Channel Partnerships, Europe, Semafone.
EU GDPR – the eleventh hour
For well over a year, companies across Europe and beyond have been aware of the new EU General Data Protection Regulation (GDPR) as it looms on the horizon.
In May 2018 it will finally come into force but many are still struggling to get to grips with the way they hold, process and manage their customer data across their business infrastructure.
The EU GDPR will be one of the biggest data privacy reforms of all time and many organisations are realising – perhaps a little late in the day - that they need to take action quickly. The new regulation requires complete control of customer data, but older organisations commonly have customer records that have built up over years of acquisitions and mergers, which in many cases are still sitting in ageing and separate databases.
An infrastructure revolution
The answer for a large number of organisations is a complete infrastructure transformation – a challenging prospect, but one which also presents an opportunity to streamline operations and establish higher levels of security across the board. By far the most popular solution is to move to the cloud. A research paper published last year by the Cloud Industry Forum (CIF) predicts that by 2020, 57% of organisations will have implemented cloud within their contact centres, in a bid to keep pace with changing consumer behaviour, increase profitability and improve data security.
PCI DSS – a stepping stone to GDPR
With so much customer data centred around the contact centre, there is another regulation that organisations often struggle to comply with: the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS lays down stringent rules for the handling of payment data and compliance can be a major headache for contact centres. Telephone payments are a particularly risky area and the rules that govern the capture of sensitive credit and debit card data are stringent when it comes to contact centres and call recordings. It's at this hurdle that many organisations fail. Ensuring that no sensitive card details are kept within the organisation is a complex process; even simply handling these details requires a hefty list of checks and controls. Payment data is high on the list of EU GDPR concerns due to its value to fraudsters, so meeting all the requirements of PCI DSS can go a long way towards EU GDPR compliance.
Killing two birds with one cloud
At the heart of the EU GDPR is the principle of "privacy by design". This places the onus on organisations to ensure that their working practices are set up to protect the privacy of data, and that they are storing the least amount of customer information to carry out their work. The cloud model is one of the best ways for organisations to achieve this, outsourcing the management of data to experts wherever possible. For many organisations, this means replacing outdated ISDN lines with faster, more flexible Session Initiation Protocol (SIP) trunking. SIP not only offers superior security, but it is also extremely scalable, supporting organisations that range from small businesses to large enterprises and contact centres. It simplifies the difficulty of dealing with peaks and troughs of demand and makes planning for disaster recovery much more straightforward.
Migrating to a cloud model enables organisations not only to meet the EU GDPR's Privacy by Design requirement but to achieve PCI DSS compliance head on, by taking sensitive payment details out of their own infrastructure completely. It is now possible for payment details to be transferred directly from the customer to the payment provider via the telephone keypad, never entering the contact centre environment at all. What's more, this type of solution can also be used to protect other sensitive data, such as bank details and national insurance numbers.
Don't wait for the hackers
Holding customer data is inherently risky, no matter how high level the of security we put in place to protect it. Every new security measure we implement is just another step in the race against the hackers and represents a cost in both time and money. The deadline of the GDPR provides an opportunity for all organisations to look at how we can remove customer information from our contact centres and soothe the headache of compliance altogether. It's an achievable goal, and as organisations move to the cloud and pass sensitive information into the hands of specialists, everyone's information becomes safer.