By Steve Sullivan, Head of Compliance, Contact Centre Panel.
Although there are presently no reliable statistics, it is our understanding, from talking to our contact centre partner network and clients, that hundreds of thousands of contact centre based agents are now handling customer contacts from home.
Amidst all the uncertainty, distress and economic damage that Coronavirus is causing, there have been some positive outcomes. One of these is the impressive way in which the planning and implementation of large technology projects, like the mass shift to home working, has been achieved in only a few short weeks.
However, contact centres who have moved quickly to wholly distribute their workforce are still faced with massive operational challenges including erratic levels of demand, huge changes to channel usage and how to engage, motivate and support staff without a physical connection. But there are also key and often pressing regulatory and compliance questions to be understood and addressed.
How do you prioritise?
Having the responsibility for maintaining customer experience and engagement in the new ‘virtual’ contact centre is a particularly tough task. So, who has the time to ponder what the contact centre homeworking compliance issues are?
Increased risk exposure
In these times of rapid change, meeting compliance and regulatory needs must be underpinned by a focus on prioritisation. Many areas need to be reviewed and changes made, but while some can wait, others really cannot.
The simplest approach is to take a risk-based view. For most organisations, their biggest risk and exposure through contact centre homeworking is not regulatory, it is criminal.
Although many brands and customer management service providers have responded very quickly to Covid-19, criminals and fraudsters have been quicker still.
Home-based workers, remote from their usual support and information sources, are potentially vulnerable to fraudsters. To add to this risk, many customers are being faced with new personal and financial challenges. Whilst, organisations are having to handle an increased level of demanding and emotional contacts. Criminals will exploit this emotionally charged time, by emulating stressed customers to gain leverage and access to sensitive information.
If data and payment management systems and processes are already insufficiently secure, there is the additional danger that employees may be persuaded or threatened to copy and share data. Data security flaws in a traditional contact centre environment will be just amplified in a home-based environment.
Data Protection and the Information Commissioner’s Office (ICO)
The ICO realises that it needs to avoid standing in the way of organisations’ Covid-19 coping strategies. The ICO has said “We understand that resources, whether they are finances or people, might be diverted away from usual compliance or information governance work. We won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period”.
Specifically, on homeworking the ICO says “data protection is not a barrier to increased and different types of homeworking”. The following excerpt from their own information states:
More of our staff will be homeworking during the pandemic. What kind of security measures should my organisation have in place for homeworking during this period?
Data protection is not a barrier to increased and different types of homeworking. During the pandemic, staff may work from home more frequently than usual and they can use their own device or communications equipment. Data protection law doesn’t prevent that, but you’ll need to consider the same kinds of security measures for homeworking that you’d use in normal circumstances.
This is an empathetic stance but data protection can create a business process hurdle that organisations need to clear. The ICO’s ‘softly-softly’ approach to enforcement suggests that homeworking can be implemented now without an onerous review of data protection rules and procedures, but that work will need to be done as soon as you can. Create a diary note
Anecdotally, some contact centres have reported increased contact and conversion rates on their proactive outbound calling. More generally a largely captive nation of consumers is encouraging some businesses in specific sectors to accelerate their marketing efforts. If these opportunities require either the acquisition of 3rd party prospect data or new/extended proactive contact methods and channels (phone, email, social), then organisations need to tread warily. The use of inappropriate or non-compliant data sources and misuse of communication channels, against Ofcom or PECR rules, can leave organisations wide open to fines, reputational damage and the closure of revenue streams.
Contact Centre Panel’s John Greenwood has already highlighted the risks of not ensuring that card payments taken by homeworking staff are PCI-DSS compliant, as detailed in our recent article. Remember, the ICO explicitly states that in the event of a data breach then if an organisation has failed to follow the PCI-DSS rules, then the ICO will hold that against them.
The ICO states; “Although compliance with the PCI-DSS is not necessarily equivalent to compliance with the GDPR’s security principle, if you process card data and suffer a personal data breach, the ICO will consider the extent to which you have put in place measures that PCI-DSS required particularly if the breach related to a lack of particular control or process mandated by the standard.”
The insurance industry, in part due to government encouragement, has responded flexibly and helpfully to business change in the face of Covid-19. Most insurers have extended liability cover to include staff now working from home, as well as continuing to cover IT equipment (all those newly purchased laptops!) now located in employees’ homes rather than in offices.
However, it is best to check with your business broker or insurer to ensure you are covered.
Health and Safety
The Health & Safety Executive requires employers to conduct workstation assessments of staff using Display Screen Equipment (DSE), whether staff are office or home-based. The HSE says that there is not a requirement if staff are working from home ‘temporarily’, but as time goes on some contact centre home working is likely to feel semi-permanent.
Beyond DSE, the Health & Safety Executive states that employers must consider:
• How will you keep in touch with them?
• What work activity will they be doing (and for how long)?
• Can it be done safely?
• Do you need to put control measures in place to protect them?
This applies whether the home working arrangement is permanent or just for the short-term. The best contact centre employers are mindful of this, but there are financial and health risks to both employees and employers if these measures are not in place.
Although it is not really hit the regulatory radar, yet, many contact centres have been at the forefront of recent initiatives to recognise the importance of maintaining good mental health in the workforce. At a time of societal change and increased awareness of anxiety and stress, the importance of the role employers play in helping staff remain focused and effective has never been greater. Ensuring the continued emotional support of contact centre staff, at all levels, needs to be maintained in parallel with working out how best to maintain motivation, morale and operational performance.
Contact Centre Panel Network members are subject to compliance reviews. To join and then remain a partner they need to have the right level of expertise to navigate the rules and regulations needed to ensure that marketing and communication efforts remain compliant.
How can CCP help?
We have a team of specialists able to advise, clients and network members, on data compliance, the latest industry regulations, and best practice. Our services also extend to marketing data sourcing, contact centre training and engagement, wellbeing and secure payment processing.