The 2018 UKCCF Data Security and Compliance Survey, conducted online between January and May 2018 amongst 101 UK contact centres, reveals that:
• 89% of organisations consider ‘ensuring we meet all our compliance obligations’ to be 'very important'
• 95% review their access control procedures every year or less
• 73% have a Data Protection Officer (or officers)
• 60% require formal qualifications for at least some of their Data Protection Officers
• 62% carry out Disclosure and Barring Service security checks on new contact centre personnel
As a result, only 2.5% of in-house contact centres have experienced a cyber attack that resulted in the loss of confidential customer data, and only 4% of respondents reported a data breach by contact centre agents stealing a small amount of data (i.e. under 25 records). None reported a major data breach (over 25 records).
The cost of failing to meet regulatory obligations is greater than ever. An inability to comply with the Data Protection Act, for example, can lead to the Information Commissioner’s Office (ICO) imposing information and enforcement notices. For serious breaches, monetary penalty notices can rise to ?500,000. In the case of a European General Data Protection Regulation (GDPR) infringement, the ICO will have similar powers - although the maximum fines it can impose will be up to ˆ20 million or 4% annual global turnover (whichever is higher).
As well as making procedural/ process changes and investing in additional skilled personnel to assist with data security and compliance, contact centres are also investing in specialist technology. In organisations where front line agents take credit and debit card details online, for example, 53% now use technology that ensures agents can't see or hear those card details.
“While much has been achieved, there is still much work to do” said Trevor Butterworth, CEO UK Contact. “Having addressed the challenges of GDPR (introduced 25 May 2018), UK contact centres must now face up compliance challenges posed by the proposed new EU ePrivacy and other regulations. With cyber attacks and data theft on the rise globally, Data Security will also remain a very important agenda item.”
Derwyn Jones, CEO of Ultracomms, a provider of PCI DSS level 1 certified secure telephone payment solutions and omni-channel contact center services said, “Every business is taking a risk if they don’t take compliance and data protection seriously. We know that nearly two thirds of organisations who handle card payments over the phone use technology that will be deemed non-compliant when the PCI DSS Council issues its next standard update. Along with the risk of significant financial penalties, the impact of loss of customer confidence and reputation damage as a result of a data breach can be much more damaging in the long term. At a time when data protection is under unprecedented scrutiny and for every business, customer-facing processes are under the compliance microscope, organisations cannot afford to sit still”.
Tony Smith, Sales Director – EMEA, PCI Pal added “It’s very positive to see how seriously UK organisations are taking their security compliance obligations. Yet, with 95% of respondents suggesting they check their access control procedures at least once a year, we want to remind UK contact centre managers of the importance of reviewing PCI DSS compliance on an ongoing basis; the latest PCI DSS standards require that evidence is provided that documents continuous compliance throughout the year for device inventories, configuration standards and security controls, rather than simply passing a test as part of an annual assessment.”