Partner Article

Using the cloud to navigate the changing compliance landscape

The complexity of the compliance landscape is poised to increase significantly for all companies operating a contact centre. Achieving Payment Card Industry Data Security Standards (PCI DSS) remains a key concern for those taking payments over the phone, but the General Data Protection Regulation (GDPR) – due to be implemented in May 2018 – represents the biggest overhaul of personal data management in history. GDPR is arguably the most important piece of legislation that companies will need to comply with. As an overarching EU regulation, it will encompass all European Union (EU) personal data used or held by companies. It also poses a huge financial risk for companies failing to comply.

Many of these requirements, rules and regulations will overlap, and companies will need to be more focused and attentive to compliance requirements than ever before. For contact centres, much of the compliance burden relates to the capturing, recording, archiving and security of sensitive information. Maintaining a fully compliant security solution in-house can be a struggle. As compliance requirements evolve, so too must the technology used to meet them. Keeping on top of this can be draining on budget and internal resources. Forward thinking organisations are using specialist cloud technology to support compliance across multiple regulations and standards. These solutions grow and change over time to meet the needs of the organisations using them, while also offering minimal on-site disruption.

Getting personal

For many contact centres, customer payment data represents a major compliance challenge. PCI DSS rules apply, and when GDPR comes into force customer payment data will fall well within its definition of ‘personal data’. The Cardholder Data Environment (CDE) is therefore a security focal point.

Even within this single area of data, compliance is complex. The CDE can be loosely broken down into four areas – data capture, data processing, data transmission and data storage. Contained within this are all of the physical and virtual components involved in each stage including the network (firewalls, routers etc.), all point of sale systems, servers, internal and external applications and third party IT systems. Each of these elements contributes to the overall scope of the CDE, which must be protected in full. The larger the scope, the more difficult and potentially expensive compliance becomes.

In the CDE example, the key to managing compliance is reducing the size of the CDE scope. By outsourcing key aspects of a cardholder data environment to a third party Cloud Service Provider (CSP), the PCI compliance responsibility is passed on too. With the implementation of GDPR, however, a business will still be responsible for its customer data, even if a third party manages it. Companies will need to think about how they ensure GDPR compliance across their value chain. They must also remember that in turn, value chain partners are under an equivalent requirement to refuse any instruction that is non-GDPR compliant.

Compliance in practice

Let’s take one key process – payments. If an organisation uses a traditional call centre to process telephone payments manually, every aspect of that call centre is in scope for PCI DSS, from the telephone agents themselves through to the computers, network and payment systems used. As of May 2018, the organisation will also be required to process and store this data in line with GDPR. This means demonstrating an ability to recall data, and provide customer access when requested, amongst other stipulations.

Switching to a cloud-based payment system meets all of these requirements simultaneously. At the point where a payment is requested, customers are routed through to a secure, cloud-hosted platform where they enter their sensitive information via their telephone keypad. The call centre agents themselves no longer play any part in the collection or processing of the customer’s sensitive data and it never enters the call centre environment.

Cloud-based recording and archive solutions offer the ability to access call recordings and archives from anywhere, at any time through a secure online portal. This is particularly beneficial to organisations sprawled across various geographic locations. In contrast, an on-premises recording and storage solution cannot deliver the same level of flexibility in terms of recording accessibility in comparison to cloud platforms. To meet the GDPR’s governance requirements, compliance officers will need to periodically review archives to demonstrate compliance. Choosing a cloud-based solution will mean data is always easily accessible.

What’s the risk?

Compliance failures present a range of legal, financial and reputational risks. Potential liabilities include loss of customer confidence, diminished sales, legal costs, fines and penalties. One of the most discussed aspects of GDPR is its explicit mentioning of fines. Whereas the Data Protection Directive simply stated sanctions had to be defined by the Member States, GDPR exactly details what administrative fines can be incurred for violations. The maximum fines depend on what ‘category’ the violation occurs in: for less serious violations, the maximum is € 10 million or 2% of total annual worldwide turnover of the preceding year (whichever is higher); for more serious violations this goes up to € 20 million or 4%. With the additional reputational damage, this could be catastrophic for many businesses.

Businesses have a growing responsibility for their customer data. They will need to question the capability of third parties and the platforms they are using to ensure compliance with a range of rules and regulations. The power, security and flexibility offered by the cloud are impossible to ignore. It is arguably the most secure and most cost-efficient way of processing and storing customer data. The cloud can help close the gap between resource and requirement, offering an affordable and proven route to help companies achieve compliance with multiple regulations simultaneously. No business wants to damage its reputation or bottom line, but rules and regulations are changing. Organisations need to change with them, while looking ahead to the future, if they are to navigate the changing landscape.

This was posted in Bdaily's Members' News section by Tom Harwood, CPO and Co-Founder at Aeriandi .