On 1 July, the grace period for compliance with the Protection of Personal Information Act (POPIA) will come to an end. That means organisations found to be in breach of the act will be liable for fines and even criminal persecution.
By John Woollam, CEO of Euphoria Telecom
Given the long lead up to POPIA’s implementation, most organisations should be compliant by now. The flurry of activity when the European Union’s General Data Protection Regulation (GDPR) grace period came to an end in 2018 shows, however, that this won’t necessarily be the case.
And while POPIA will affect most organisations, it will have a particularly large impact on contact centres. Few organisations deal with as much personal information as outbound contact centres. Whether they deal with sales, debt collection, or general customer outreach, they need to have as much relevant information as possible about the people they’re contacting. It’s therefore pivotal that they pay extra care when ensuring that they’re POPIA compliant.
Here’s how they can do so.
* Understand the data you deal with – You cannot hope to adequately protect customer data in line with POPIA if you don’t have an accurate understanding of the data in your possession. As such, it’s important that you document the categories of data subjects within your company and describe the personal information that is processed for each. Using the categories of data subjects you’ve defined, you can map the flow of personal information into, through and out of your business, including external parties that have access to that information.
* Appoint a data privacy team – In order to be POPIA compliant, every organisation has to appoint an information officer, whose role is to encourage compliance and deal with requests made to the organisation in relation to the act (for instance, requests from data subjects to update or view their personal information) among other things. Beyond that, they should also appoint a data privacy team who will be responsible for reaching and maintaining POPI compliance. Be sure to include representatives from each data subject category (including HR, sales, and marketing) and from functional areas, such as technology, operations and information security.
* Have the right security infrastructure in place – For the outbound contact centre, having the right security infrastructure in place is particularly important. That doesn’t just mean having the right security software either. While security measures such as encryption, firewalls, anti-virus, backups, disk encryption for mobile hard drives, and devices are all important, they aren’t enough by themselves. You also need to ensure you have adequate physical security measures. Having the right access control measures for on-site premises can also be important. These all need to be in accordance with internationally accepted standards.
* Equip your contact centre workers for secure remote work – The events of the past year or so have made the case for remote work stronger than ever, with contact centres embracing the trend as readily as anyone else. Here, the growth in VoIP and cloud-based contact centre technology has been particularly helpful. But it’s important to ensure that the cloud software you use is secure and POPIA compliant, along with any other remote tools that your employees use.
* Visibly demonstrate compliance – It’s not enough to simply say that your contact centre is POPIA compliant, you have to visibly demonstrate it. The best way of doing so is to establish and capture your client’s preferred mode of communication, and exclusively communicate with them on that channel.
An ongoing effort
Finally, it’s important to remember that POPIA compliance isn’t a “once and done” initiative. It’s something that requires ongoing effort and evaluation of the procedures, staff, software, and technology within your contact centre.