Altogether more useful than an MP’s Surgery, though perhaps not as fetching as Grey’s Anatomy, WeAnswer’s Data Doctor grapples with some of your compliance and data protection quandaries….
Dear Data Doctor,
We are about to launch a relatively modest mail-order retail business with a potential global reach. I lack extensive knowledge in compliance and data security but due to resource limitations these responsibilities have fallen to me. What advice would you give me on creating and maintaining successful data compliance processes?
A. Novice, Brighton.
Thanks for your query, A. Your first consideration should be ensuring your company and/or suppliers are fully PCI DSS compliant. Any organisation that stores, transmits or processes card holder data must comply with PCI DSS. Compliance is regulated and enforced by the ‘acquiring bank’ with whom every organisation must have a merchant account. You should also register with The Visa Merchant Agent scheme, if applicable (more on this later), and ensure you have a secure and well organised framework for data storage (again, more later). You must always encrypt sensitive data using industry standard encryption such as AES. If your business aspires to penetrate global markets, as you indicate in your letter, there will be a wealth of other considerations to address such as data protection laws in different countries or states. Once you identify the territories you should consult a reputable organisation, such as the DMA, to get the most current compliance requisites.
Education and communication are also key to your success. You must ensure that your policies are communicated and rolled out company-wide, with areas of responsibility clearly assigned, including training of new staff and escalation processes. Your colleagues should know about the risks your business is exposed to and be able to identify spam, phishing and malware attacks, such as Trojan. Your staff are the eyes and ears of your business so make sure they are fully knowledge-equipped!
Dear Data Doctor,
We strive to be a compliant company with the customer’s needs in our heart and their pennies in our pocket, but our contact centre interaction is increasingly blighted by ‘blocking’ calls from people who aren’t the authorised account holder. Calls are usually curtailed before we can even get to understand the customer’s issue. We don’t want to endanger our compliance obligations but one more unresolvable call from a poor chap on behalf of his hard-of-hearing wife and I think both the caller and our call handler might move organisations!
Befuddled, this is a common ailment and, fortunately for all parties concerned, an easily treatable one. It is very important that you find a balance between compliance and irritating your customers unnecessarily. Third party authorisation is a particular bugbear and can be avoided with a simple authorisation form filled out at point of recruitment, or indeed retrogressively. It is worth noting, while on the subject of contact centres, how important it is to ensure key compliance statements are made by staff – failure to do so can render a transaction null and void (think of the recent multi-million pound fines to large energy suppliers from Ofgem). Speech analytics can help with this as can simply impressing the importance of this to your staff, being vigilant with quality control and being consistent in your training and sign-off processes.
Dear Data Doctor,
As an online retailer with security at the core of my remit, I have been plagued with an acute headache every time I hear the words, “Big Data”. Its increasing ubiquity is shattering my nerves and I just don’t have time to read another blog on it! Our systems are modern and we are PCI DSS compliant. What can I do to protect my customers and business?
Vexed, you are right to pay heed to Big Data, indeed, as you acknowledge, you can barely pass an hour without hearing about it. Big Data is the current tech buzzword du jour and refers to data sets that are so substantial they require alternative management tools and applications to the data volumes we are used to. If you consider the breadth of data accumulated from social media, the financial services and health care authorities on a daily basis, you can get an idea of the relevancy of the discussion.
Your prognosis is good due to the modernity of your systems. With newer database solutions there are automated ways of detecting data, and triaging systems that appear to have data they shouldn’t. You can build on this, either independently, or by talking to data warehousing experts about opportunities for automation. It is important to understand, and document, where all your important data sits and ‘file’ it accordingly; transactional and non-transactional, for example. This allows for easier encryption and makes it much easier to monitor.
Managed well, Big Data could become your organisation’s best friend – the insights gleaned can significantly enhance your marketing and business development strategies. You need to carefully consider privacy issues as well as compliance and security and be open with your customer about how you use their data throughout your collateral; any benefits must apply to both sides.
Dear Data Doctor,
In the tail end of 2012 I swear I kept hearing mutterings about Visa Merchant Agent registration and the perils of non-compliance. Nearly halfway into 2013 I have heard precious little else. Was I hallucinating??
Possibly Deluded, Stockport
Worry not, PD, while the scheme continues to progress at a geological pace, Data Doctor’s consultants in the field have been reliably informed that the scheme is very much real. WeAnswer were one of the first contact centres to register, showing our commitment to compliance and protection of customer data.
Third party service providers aka Merchant Agents need to be registered and on the list, but if merchants are using third party they should check their providers are registered. The scheme seeks to protect consumers from fraud and encourages merchants to take responsibility for their part in compliant credit card transactions. Visa’s website warns of “increasing impacts” for businesses who do not register with the scheme with effect from 31 December 2012, and with a behemoth such as Visa, I simply wouldn’t mess.