Why US contact centers need to wake up to the EU’s new GDPR data protection legislation and other new security requirements

Contact center management, GDPR, PCI DSS

Why US contact centers need to wake up to the EU’s new GDPR data protection legislation and other new security requirements

A recent survey by PWC found that over 90% of US companies surveyed viewed GDPR compliance as one of their top data security priorities in 2017, and over half of those stated that it was their single most important issue of concern. Why is this?

In May 2018 the EU’s general data protection regulation (GDPR) comes into force. The GDPR is legislation designed to unify the way in which data protection works across the whole of the European Union. All EU countries will immediately be bound by the GDPR. It supersedes the national legislation of individual countries and covers all aspects of data protection, from individuals’ rights to lawful handling and processing of data, as well as increased liability for organizations in the event of a data breach.

Whilst it might be tempting to think that contact centers based in the US aren’t affected by the GDPR, this is not the case, as recognised by the companies in PWC’s research.

In this blog post I’ll discuss the reasons why US call center managers also need to pay particular attention to the GDPR and other data protection requirements.

Companies with customers in the EU are bound by the GDPR

If you have customers in any EU country, or market to anyone in the EU, or store personally identifiable information (PII) about anyone in the EU then you’ll be bound by the GDPR just as if you were based in the EU itself. So it’s important to find out what’s involved and to ensure that you’re compliant before the May 2018 deadline. The penalties for non-compliance can be particularly severe, with fines of up to 4% of your global annual revenue or 20 million euros, whichever is greater.

The GDPR is likely to become the new global standard

The GDPR is specifically designed to address the issues that come with the movement of data across borders. Effectively the GDPR creates a truly international framework for data security. Along similar lines to PCI DSS (Payment Card Industry Data Security Standard), its aim is to standardise a global approach to security. Indeed, the GDPR goes further than PCI DSS insofar as it carries the force of law and covers more personal information , whereas PCI DSS is a self-regulated industry standard relating to payment card data. So although it may seem burdensome to comply with GDPR if you don’t have to, I would see the GDPR as providing a valuable and wide ranging data security framework that all organizations would benefit from applying.

Data security matters to every organization

There have been many high profile examples of data breaches affecting US companies in recent years – think of Target, Yahoo, Ashley Madison, eBay and Home Depot to name but a few. Indeed, most data breaches happen in North America and it’s estimated that the average cost of a data breach will be over $150 million by 2020. In 2015 alone over 700 million individual records were exposed due to data breaches. So, data security is an issue that’s of great relevance to every organization.

Data breaches lead to lost revenue and regulatory fines which are bad enough, but the long term negative effect on customer trust and brand reputation can be even more damaging. If you hold PII on your customers, then you need to ensure you’re holding that data securely. The GDPR provides an excellent framework for doing this, with the added benefit that you are then compliant with legislation you would have to comply with if you ever did want to do business with customers in Europe, if you’re not doing so already.

US companies are recognising the significance of GDPR

PWC’s research does show that for the most part, US companies are already recognising the importance of GDPR and taking steps to comply with it. The GDPR itself provides a great incentive for US companies to look closely at their cybersecurity and risk management processes. Even closer to home, new data protection regulation such as New York’s Department of Financial Services new Cybersecurity Requirements for Financial Institutions pushes the point that such data protection is now a must and not a ‘nice to have’, as do the global PCI DSS regulations for the protection of payment card data.

At Syntec it’s our view that safeguarding your customers’ privacy should be at the heart of any organization’s operation. Our own research shows that consumers are growing ever more concerned about the security of their data and in the case of payment card details in contact centers, want new technology to keep the data from reach completely, rather than just storing it more securely or monitoring call center agents better. In this case the growing consensus is that keeping the data out of the contact center environment altogether is the best protection from any risk.

Increasingly we believe that companies that are able to explicitly demonstrate a genuine commitment to data security, for example by complying with the terms of the GDPR, will have a long-term competitive advantage over those that do not. Good data security and privacy compliance leads to customer trust, which is an increasingly valued commodity these days, especially after the cybercrime community demonstrated its capabilities so dramatically with the global Wanacry ransomware attack which affected organizations in at least 150 countries simultaneously, according to Europol.