CEOs across the world woke up to news last week that two of the biggest travel companies in the world, British Airways and Marriott, were fined £282m ($350m) for cyber attacks which resulted in customer data being breached.
Whilst the new GDPR legislation has now been in place for just over a year, the sheer scale of the fines has highlighted how serious European Regulators are taking any data breaches – especially of note is the fact these were criminal hacks and yet the data holder has been held liable.
Never has the role of information security been so important, and rightly so. People expect their data to be held securely at all times. Businesses must constantly monitor their systems for any unexpected behaviour and attacks against their infrastructure.
Whilst “big data” has been a hot trend in the past few years, the implications of GDPR mean in many cases businesses are better of holding less data than more. The GDPR rules are quite clear that unless data is accurate and kept up to date, it shouldn’t be retained. Likewise, you must not retain any personal data for longer than required.
Even the UK’s Information Commissioner has failed to keep their own website GDPR complaint, recently updating their Cookie Policies to bring them into line with their own updated guidance.
1. Ensure any data you collect is obtained in a lawful manner. For example if you are using Analytics software such as Google Analytics you must ensure the website visitor has consented before the Cookie is placed. Ensure that any consent is freely given and is explicit in what their data may be used for. Make sure you retain proof of consent.
2. Ensure any data you collect is held strictly for as long as necessary. Do you really need a customer’s order history for the past 20 years for example, or will just the last 12 months suffice? Did Marriott really need to retain their guest’s passport numbers years after their stay for example?
3. Make sure any data obtained is accurate and up to date. If data becomes out of date or inaccurate you have an obligation to correct or delete.
4. Avoid collecting information that isn’t relevant or necessary – if you don’t need it or use it, why collect it?
5. It’s critical to ensure all personal data held is held in a secure manner. Make sure the data is encrypted and access is restricted strictly to those who need access to it.
For contact centres the burden can become particularly troublesome with your contact centre users accessing potentially thousands of customers accounts and interactions every day. How do you ensure that every interaction is processed in a complaint manner, that your data is secure and if you do get any Subject Access requests under the GPDR they’re handled quickly?
Built from the ground-up to be GDPR complaint, we encrypt all communication to and from our data centres. 24x7 video surveillance and security systems ensure the physical security of your data as well as ensuring all information is encrypted to disk too. UK business can also be rest assured their data is held securely within the UK – so Brexit or No Brexit – your data remains compliant. We also maintain a cyber insurance policy underwritten by Lloyds of London.
So why not contact QContact today and see how we can work together to help ensure your contact centre remains compliant.