Data Security and Data Sovereignty in Contact Centres

For all the talk over the last few decades of our once vast Earth becoming a global village thanks to digital technology, it doesn’t work as a metaphor if you think about it. In this so-called village, every house would not just retain its customs and traditions, but each would have a different set of regulations and laws.

It would be a confusing village to live in, to say the least. Just paying a visit to your neighbours would be fraught with complexity and risk.

And yet, that is kind of how the world works today.

Spare a thought, then, for data and compliance professionals the world over. Tasked with ensuring their organisations comply with a complex web of ever-changing regulations that vary across jurisdictions, the ramifications if they get it wrong can be catastrophic – including fines, bans, loss of customers, and the destruction of their employer’s hard-earned reputation.

Most organisations need to collect personal data from their customers and the people they serve. With the rise of digital technologies the amount of personal data collected and processed in places like contact centres is not only increasing, it is doing so exponentially.

The risk of data breaches and misuse of personal data has never been higher. At the same time, consumers are becoming more aware of their privacy rights and are demanding greater transparency and control over how their personal information is managed and used.

Data breaches are increasing, with the number of reported US data breaches rising by 68% year-over-year in 2021. The average cost of a data breach is around $4.24 million, the highest in 17 years. Moreover, remote work incidents cost over $1 million more than non-remote incidents.

In this article, we examine the key aspects of data security and data sovereignty in contact centres and customer-facing operations. It’s something no organisation can afford to get wrong.

Global Data Protection Laws

Most countries have their own laws to protect the personal and private data of their citizens. Let’s begin with a brief breakdown of some of the key regulatory frameworks in different regions:

GDPR is probably the most comprehensive and far-reaching set of data protection laws anywhere in the world. It came into effect on May 25, 2018, and applies to all organisations that process the personal data of EU citizens, regardless of where the organisation is located. The fundamental principles of GDPR include:

GDPR (General Data Protection Regulation) in the EU

• Transparency in data collection: Organisations must inform individuals what data they are collecting, why it is being collected, and how it will be used.

• Secure data processing: Any organisation that holds personal data has to put in place technical and organisational measures to keep that data private and secure.

• Respect for individual rights: Everyone has the right to access their personal data, ask for it to be erased (also known as the “right to be forgotten”), and object to it even processed in the first place.

• Accountability for data breaches: Any organisation that suffers a breach has to report it to the relevant authority within 72 hours. Companies can face significant fines for data breaches. Recent cases include a $124 million fine for a major hotel chain, a $575 million fine for a credit agency, and a $200 million fine for a home improvement company.

In the UK, GDPR has been implemented through the Data Protection Act 2018.

Future US Regulations

Unlike the EU, the United States does not currently have a comprehensive federal data protection law. However, several states have enacted their own data protection regulations, such as the California Consumer Privacy Act (CCPA), which came into effect in 2020. It gives California residents the same rights to know what data is collected about them and have it deleted that EU and UK citizens have under GDPR.

There is growing momentum for a comprehensive federal data protection law to be enacted in the US, with several proposals currently being debated in Congress. It is likely that the US will eventually adopt a federal data protection law that is similar in scope to GDPR.

Other Regulatory Frameworks

South Africa’s POPIA took effect on July 1, 2020. It emphasises principles similar to GDPR, requiring organisations to justify their need to process personal data and obtain consent from the owner of the data before collecting and processing it.

In addition to country-specific laws, there are also industry-specific regulations in many regions. The Health Insurance Portability and Accountability Act (HIPAA) for healthcare in the US is one such. The Financial Industry Regulatory Authority (FINRA) in the US sets and enforces rules governing the ethical business conduct of financial services firms, including the protection of customer data. In the UK, the Financial Conduct Authority (FCA) performs a similar role.

Finally, the Payment Card Industry Data Security Standard (PCI DSS) is a global security standard which prevents fraud by prescribing how companies handle and process credit card data. It places onerous, yet necessary, security responsibilities on organisations which process customer payments electronically.

These additional regulatory frameworks add another layer of complexity to the compliance landscape.

The Concept of Data Sovereignty

The development of cloud computing and storage in the last decade means that anyone, almost anywhere on Earth, can access vast digital resources and deploy them fairly cheaply and easily. Much of the time, these resources – the physical servers on which cloud software runs and data lives – will be located in a different country to the one in which the user is located.

Data sovereignty simply refers to the idea that data collected by organisations is subject to the laws of the country in which it is collected and processed, and in which the owner of personal data resides. This means that international organisations must understand the data protection laws specific to each different region they operate in.

Depending on the country in question, the type of data being collected and its intended use, it is often a requirement for the data to be stored and processed in the same country as the person to whom the data refers. So, if a contact centre operates in, say, South Africa but deals with EU customers, that data should more often than not be kept on EU servers.

Data sovereignty should not be confused with the distinct, yet related, concepts of data localisation and data residency. Organisations need to understand the difference between these when handling data across borders.

• Data sovereignty refers to a country’s right to control data generated within its territory. This means governments can regulate how data is collected, stored, processed, and shared.

• Data localisation is when a country requires certain types of data to be stored and processed within its borders. This may be done for compliance, security, or accessibility reasons, but can increase costs for businesses.

• Data residency simply refers to the physical location where data is stored. This can impact compliance, performance, and availability of data, especially for global organisations.

In essence, data sovereignty is the overarching principle, while data localisation and residency are specific aspects of how data is handled in different jurisdictions. Companies must navigate all three to ensure compliance and continuity.

The Constant Threat of Data Breaches

Being the victim of a data breach is no joke, both for the customer whose data is compromised and the organisation that was holding it and suffered the breach.

High-profile breaches regularly make headlines and can cause companies to shed customers and lose billions in share value as well as see their reputation as a safe and trusted organisation with which to do business disintegrate.

As well as a loss of consumer trust, data breaches can lead to lawsuits and fines which would give most companies a severe financial headache. According to a recent survey, 63% of consumers say the organisation holding the data is responsible for protecting it. A further 81% said they would be likely to stop doing business with an organisation that suffered a data breach.

With the proliferation of digital and cloud technologies data breaches are becoming increasingly common and criminal organisations will ruthlessly target any vulnerabilities.

How to Protect Your Contact Centre

To mitigate the risk of data breaches, contact centres should prioritise the following measures:

Robust Cybersecurity: Implement layered defences, including encryption, firewalls, and access controls, and stay updated on the latest threat vectors. Implement single sign-on (SSO) supported by multi-factor authentication, SCIM, and SAML to prevent attacks at login and offer benefits like better threat detection, less password fatigue, and a more productive workforce. Secure data in transit using SSL certificates, TLS, and virtual private networks. Encrypt data at rest on servers or in the cloud to limit exposure in case of a breach. Utilise artificial intelligence tools provided by cloud services and third-party providers to monitor transactions and detect threats in real-time.

Incident Response Plans: Have clear procedures for breach detection, containment, reporting to authorities (where mandated), and customer communication. Develop a comprehensive security policy incorporating guidelines from NIST (National Institute of Standards and Technology). Regularly audit your call centre and incorporate security into your training.

Staff Education: Human error is a significant risk factor for data breaches. Continuous training on identifying phishing attacks, safe password practices, and incident reporting is vital. Limit employee access to information based on their job title and need to prevent social engineering attacks and allow for quick removal of access after a demotion or detected vulnerability. Have an acceptable use policy which clearly outlines what tasks are permitted on personal devices and how sensitive data must be segregated from personal information.

Secure Device Management: Mandate device enrolment in solutions like Mobile Device Management (MDM) to enforce security policies, enable remote wiping if needed, and restrict access to sensitive data. There should also be specific technical safeguards on personal devices. This includes encryption, secure connections (like VPNs when accessing work resources), and robust anti-malware protection.

Maintain a Legal Register: Centralise your compliance knowledge in a comprehensive and accessible legal register that includes legislation, regulations, industry standards, and internal policies.

With the proliferation of digital and cloud technologies data breaches are becoming increasingly common and criminal organisations will ruthlessly target any vulnerabilities.

Deploy Secure Cloud Technology

Cloud solutions can be powerful tools for contact centres, but they require careful consideration regarding data sovereignty.

Partnering with the right cloud contact centre technology provider can help you secure your customer data and maintain customer confidence. When choosing a partner, contact centres must:

• Choose cloud providers that allow them to select data storage locations aligned with regional regulations. For example, GDPR requires that data on EU residents remain within the EU.

• Conduct thorough vendor due diligence to ensure that cloud partners have robust security certifications and practices that match the contact centre’s compliance obligations.

• Ensure you vendors have achieved certifications such as ISO 27001, which provides a structure for robust security and mandates ongoing risk identification and mitigation.

• Ensure that cloud partners have transparent data processing agreements that outline each vendor’s data handling responsibilities, security standards, and breach notification obligations.

• Regularly assess cloud vendors’ compliance posture through external audits or certifications to ensure they maintain robust security practices and adhere to relevant regulations.

• Understand cloud vendors’ reliance on additional fourth-party providers and ensure that data protection standards cascade down the supply chain.

• Opt for cloud providers that use AI-based threat detection and monitoring tools to handle security incidents in real-time.

• Select cloud partners that offer strong encryption for data both in transit and at rest to protect sensitive information from unauthorised access.
  

Don’t Get Caught Out

Data security and sovereignty have become critical issues for contact centres operating in a complex, ever-changing regulatory landscape. Navigating this maze of laws and regulations requires a deep understanding of global data protection frameworks, the challenges of data sovereignty particularly as it relates to the cloud, and defending against the constant threat of data breaches.

To mitigate risks and maintain customer trust, contact centres must prioritise robust cybersecurity measures, clear incident response plans, and continuous staff education. Practical steps include partnering with the right technology providers, maintaining comprehensive legal registers, adopting information security frameworks, and implementing remote worker and acceptable use of technology policies.

By demonstrating a commitment to data security and privacy, your contact centre and your organisation will build trust with your customers and stakeholders. The price for failing to do so is just too high.