Lots of anecdotal evidence and this research recently undertaken by Channel Doctors shows that hundreds of thousands of UK call centre agents who normally work in traditional contact centres handling customer contacts are now working from home. For most organisations this transition has seen complex projects – which would normally takes months or years – get completed in days or weeks. And in recent days it looks increasingly likely that, to a greater or lesser extent, these short term measures will endure for some months to come.
Even if their technology solutions are resilient and enduring, contact centres which have enabled customer-facing work to continue from home are still faced with massive challenges. These include erratic levels of demand; altered channel usage; the problem of how to engage, motivate and support staff without a physical connection. And other challenges they may not yet have even thought of.
So, if you’re responsible for your contact centre you already have enough on your plate, but there are also key regulatory and compliance questions organisations need to both understood and address.
Where to start?
We can all agree that contact centre management must count as one of the most difficult jobs going right now. So, who has the time to ponder what the contact centre homeworking compliance issues are?
There is a way.
The collective response to the Covid-19 crisis has been typified by a pragmatic approach; focusing on what’s most important right now. You should do the same with your contact centre risk awareness and compliance.
Lots of areas need to be reviewed and potentially changes made, but some can wait and others really can’t. The simplest approach is to look take a risk-based view in order to prioritise.
Before you start, consider which best describes your situation:
1. You’re a stakeholder
There is a strong risk and compliance function looking to guide and direct contact centre activities.
2. You’re on your own
There is no central risk and compliance function – the contact centre is effectively responsible for its own compliance.
Depending on which best matches your contact centre’s status, the tasks before you and the degree importance of prioritisation will vary, but the same key questions will apply:
- Is auditing and addressing the fraud and cyber security risks of homeworking top of the agenda?
- What are the already-known areas of technology and process weaknesses? They need to be documented and a start made to address them
- The ICO has committed to ‘adjust [its] regulatory approach’. If you have areas of data protection exposure are you able to demonstrate that you know how to resolve them, even if you take advantage of the breathing space the ICO’s Covid-19 approach may offer?, emotional
- Your people may now be working from home, but have you been able to maintain the physical, emotional and legal protections they deserve?
- Who is responsible for carrying out due diligence (possibly retrospectively) on new techniques, processes, data sources and suppliers – and do they know what that due diligence requires?
We’ll consider these in more detail below.
Cash & Crime
For most organisations their biggest risk and exposure through contact centre homeworking isn’t regulatory, it’s criminal. Contact centre leaders responded very quickly to Covid-19; criminals and fraudsters have been quicker still.
Home based workers, remote from their usual support and information sources, are potentially vulnerable to fraudsters. In addition, many customers are being faced with personal and financial challenges, so some organisations are presented with an increased level of demanding and emotional contacts, which criminals will emulate and use to gain leverage.
Especially if data and payment management systems and processes are already insufficiently secure, there is the additional danger that employees may be vulnerable to persuasion or threat to illegally copy and share data. Even without access to payment gateways, remote contact centre staff and their systems can be the inadvertent conduits for phishing attacks and ransomware. If additional temporary staff have been recruited then their potential risk to the organisation is still greater.
Data security flaws in a traditional contact centre environment will further amplified in a home-based environment.
CCMA has already shared the Payment Card Industry (PCI) Security Standards Council’s blog about taking card payments by phone when working remotely. However, in simple terms it just re-states what the PCI-DSS rules are. Although banks may well show some initial leniency when it comes to increasing non-compliant merchants’ payment processing fees through the crisis period, the PCI compliance requirements remain the same, there is no Covid-19 leeway.
And remember, the ICO has explicitly stated that in the event of a data breach then if an organisation has failed to follow the PCI-DSS rules then the ICO will hold that against them.
The insurance industry – in part due to government ‘encouragement’ in March – has responded flexibly and helpfully to business change in the face of Covid-19. Most insurers have extended liability cover to include staff now working from home, as well as continuing to cover IT equipment (think about all those newly-purchased laptops!) now located in employees’ homes rather than in offices.
However, it’s best to check with your business broker or insurer to ensure you are covered.
Data Protection and the Information Commissioner’s Office (ICO)
The ICO realises that it needs to avoid being seen as standing in the way of organisations’ Covid-19 coping strategies. On 15th April the ICO issued its guidance on how it will regulate during coronavirus:
This built on earlier statements that “We understand that resources, whether they are finances or people, might be diverted away from usual compliance or information governance work. We won’t penalise organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period”.
Specifically on homeworking the ICO has said “data protection is not a barrier to increased and different types of homeworking”.
This is true, but meeting data protection rules for newly home-based workers will create a business process hurdle that organisations need to clear. The ICO’s ‘softly-softly’ approach to enforcement suggests that homeworking can be implemented now without the most onerous review of data protection rules and procedures, but that work will need to be done as soon as you can afterwards. For now the ICO’s focus is on Covid-19 based scams and criminal abuses of personal data, but normal service will resume in the medium term and the ICO’s enforcement is typically backward-looking.
So, create a diary note to get your data protection processes sorted now!
New Data; New Marketing Techniques
Anecdotally, some contact centres have reported increased contact and conversion rates on their proactive outbound calling. More generally, a largely captive nation of consumers is encouraging some businesses in specific sectors to accelerate their marketing efforts. As time goes on and Covid-19 sensitivity decreases and commercial pressures grow, more brands are likely to do the same. If these opportunities require either
- the acquisition of 3rd party prospect data, or
- new or extended proactive contact methods and channels (phone, email, social)
then organisations need to tread warily. The use of inappropriate or non-compliant data sources and using communications channels in a way which infringes the Ofcom or PECR rules leave organisations wide open to fines, reputational damage and the closure of revenue streams.
Health and Safety
The Health & Safety Executive requires employers to conduct workstation assessments for staff using Display Screen Equipment (DSE), whether they are office or home-based. The HSE says that there isn’t a requirement if staff are working from home “temporarily”, but as time goes on some contact centre home working is likely to feel semi-permanent.
Beyond DSE, the Health & Safety Executive states that employers must consider:
- How will you keep in touch with them?
- What work activity will they be doing (and for how long)?
- Can it be done safely?
- Do you need to put control measures in place to protect them?
And these considerations stand irrespective of whether the home working arrangement is permanent or just for the short-term. Contact centre employers which are experienced in managing home workers should have addressed the challenges; those that are new to home working probably haven’t. But there are financial and health risks to both employees and employers if these measures aren’t in place. If you don’t meet your duty of care, then you can very quickly change from being seen as a flexible and accommodating employer to an exploitative one!
Although it’s not really hit the regulatory radar, yet, many contact centres have been at the fore of recent initiatives to recognise the importance of maintaining good mental health in the workforce. At a time of societal change, anxiety and stress, an awareness of employers’ role in helping staff remain focused and effective in their roles is more important than ever. Ensuring the continued emotional support of contact centre staff – at all levels – needs to be maintained in parallel with working out how best to maintain motivation, morale and operational performance.
Do your employment contracts, internal policies and procedures and Staff Handbook all reflect a requirement for your contact centre staff to work from home? They need to – again, for both the employer and the employees’ sake. Make sure that the HR department are aware that this needs to be worked on immediately.
In order to meet increased or changed customer demand some organisations have had to quickly engage new outsourced contact centres or expand their existing relationships with them. Most professional outsourced service providers are both expert at both operating compliantly and meeting their clients’ requirements and internal processing needs.
However, compliance cannot be assumed, so the buyers of contact centre services need to undertake thorough due diligence – and be able to evidence it. It will be a challenge to do this retrospectively, but it will need to be done and evidenced.
Download the PDF below to view an infographic summary of all the findings.