Posts Tagged ‘data privacy’

VCC Live® Has Been Awarded the PCI DSS Certificate for the Fourth Time

Posted on: March 6th, 2019 by dorarapcsak No Comments

Another year, another successful IT audit! We’re more than delighted to announce that, after our latest comprehensive yearly audit, VCC Live® has once again been awarded the PCI DSS international certificate. VCC Live® has been PCI compliant for a number of years, and this year saw our certificate renewed for the fourth time.

For those not aware, PCI DSS (Payment Card Industry Data Security Standard) is one of the strictest card holder data security standards in the world, and is backed by the five largest credit card issuers in the market.

The PCI DSS certificate applies to any organization that accepts credit and debit card payments, and PCI DSS compliance validation is performed annually or quarterly. As VCC Live®’s unique VCC Live Pay feature provides customers with the opportunity to make real-time payments during a single phone call, being PCI DSS-compliant is of utmost importance to us.

With the evolution of cybercrime, and with cybercriminals becoming more advanced than ever, businesses handling valuable customer data really do need to take all necessary measures to protect their data. Still, according to the following, alarming statistics conducted by EY, it seems that the majority of companies are still not prepared for a potential data breach. Their research found that:

  • Only 38% of global organizations are prepared for a complex cyber attack
  • Only 4% of organizations are confident that they have fully considered the information security implications of their current strategy
  • Only 12% feel it is very likely they would detect a sophisticated cyber attack

We are proud to say that we are at the cutting edge in this respect, and among one of only a few companies who take data security 100% seriously. Nothing proves this better than our fourth PCI DSS certificate, along with our two additional ISO027001 and ISO022301 certificates.

PCI DSS certificate vcc live blog

Balázs Zsolt, Information Security & Process Manager at VCC Live® and Miklós Tassi, Consultant and QSA Auditor at AperSky 

Here at VCC Live, data security and privacy have been at the heart of the company from the very beginning, and we’re proud of the fact that our company has been built with customer privacy in mind.

This fourth renewal of our PCI DSS certificate clearly reflects our dedication to data privacy, and determination to continuously review our IT security and business continuity processes, including successfully undergoing the yearly audits required for all three certificates.

GDPR and Telemarketing: Is This the End of Cold Emails?

Posted on: August 10th, 2018 by dorarapcsak No Comments

With GDPR (the General Data Protection Regulation) coming into force on 25 May this year, companies hopefully have already finished their preparations for life under the new legislation.

One of the final pieces businesses needed to put in place was to update their service terms and send out emails informing recipients of those updates. And we bet you too received a whole load of these emails, right? It’s amazing how many companies have your data, isn’t it…

Ironically, these unrequested GDPR-related emails are an example of what we are going to talk about in this article: cold emailing, and how the new legislation affects it.

Cold emails are one of the main activities outbound call centers focus on. In previous articles, we talked about how call centers can prepare for the new rules and whether it is still permitted to initiate cold calls now that GDPR is in force. In this last part of our GDPR guide, we’ll take things further by discussing what GDPR means for telemarketing, and specifically for cold emailing.

As the legislation is now officially in force, there’s no longer any excuse for your business to act recklessly. If you want to continue to use email campaigns as part of your telemarketing strategy, it’s time to check out our pro tips!

 

Be aware of what “personal data” is

Let’s get straight to the point: although many people think GDPR has put an end to telemarketing, it’s actually still possible to send cold emails with this new legislation in force. However, not surprisingly, the rules of the game have changed significantly.

There’s no doubt that, if you wish to continue your telemarketing email campaigns, you will need to act in accordance with GDPR. Otherwise, your business may face fines of up to €20 million or 4% of annual turnover.

In terms of sending cold emails in a GDPR-compliant way, you will first need to be clear about what “personal data” is. As mentioned in a previous article, the term covers personal information such as names, home addresses, phone numbers and email addresses.

Bearing this in mind, you will also need to be both aware of and have a comprehensive understanding of your data collection processes, and how they relate to (and are restricted by) GDPR. This is the first step you’ll need to take before even considering sending out cold emails in the post-GDPR business world.

 

Rethinking your list-building processes

It’s a common list-building practice for companies to identify potential clients online, search for their contact details, add them to email lists and finally contact them with a product/service offer.

With GDPR in force, however, you’ll definitely need to rethink how you build your email lists – uploading random addresses to your email database is now a gamble that’s not worth taking.

As for bought email lists, you can continue to rely on them, but it is your responsibility to ensure your lists are 100% compliant with the new legislation.

Bear in mind that GDPR is not only about what data you can use, but also about how you can use it. Therefore, understanding why someone’s email address is on your list and how you obtained it should be high on your list of priorities.

Whether you’re collecting data yourself or buying lists, you’ll always need to keep track of how and why you’re storing and processing the data they include. In particular, GDPR specifies that you can only store and process data that is 100% required to provide your service to its full extent, and only for as short as needed. So, if you’re thinking in the long term, regular cleansing and maintaining of your email database is an absolute must.

Be prepared to know as much as you can about your email lists, as chances are you’ll receive “where did you get my email address from?” inquiries. It’s also essential for you to prepare informative replies to such questions in advance, explaining how and why you obtained particular customer data.

To summarize, having a transparent process of storing and processing personal data, and being able to provide information about this process in detail, is an essential step in complying with GDPR.

 

Clear consent vs. legitimate interest

In order to contact prospects in accordance with GDPR, you either need to receive clear consent from them or have a legitimate business interest when reaching out to them. Both of these options have already been discussed in detail in our previous article about GDPR and telesales, so we’re not going to talk about them in depth here.

These options can be considered the basis for sending cold emails in the post-GDPR world. Of course, if you have clear consent from customers to call them then there is not an issue, but what about new prospects? Can you have their consent if you’ve never been in touch before? Probably not.

Luckily, in such cases, you can outsmart GDPR by leveraging the option of legitimate interest. As outlined in the legislation, as long as you can claim you have a legitimate business interest in contacting customers, and it’s not overridden by your customers’ decision to not be contacted, you’re allowed to send them cold emails.

 

Ensure your emails are targeted and appropriate

Since it’s fairly difficult (if not impossible) to gain new prospects’ clear consent before contacting them, we assume the option of legitimate interest is already your best friend in the post-GDPR world.

It’s not that simple, however. As GDPR protects the personal data and privacy of individuals, if you base your email campaigns on the basis of legitimate interest, you’ll need to make sure your customers are likely to benefit from those business-related cold emails.

Legitimate interest is, in fact, one of 6 criteria you’ll need to meet in order to be able to store and process customer data, but using it as a reason for contacting prospects is only legal if your interest is not overridden by prospects’ privacy rights.

Therefore, your campaign targeting has to be as tailored and relevant as possible: you cannot simply just send out unrequested cold emails to random email addresses. Instead, you’ll need to focus on reaching audiences that are genuinely interested in your products or services.

In practice this means that telemarketing departments will need to be able to justify that their cold emails target potential customers who are truly interested in their products or services. Furthermore, you will need to make sure you personalize your emails to the recipient, and also identify the physical email address of the sender.

If you want to contact your prospects in a GDPR-compliant way, you’ll need to have a strong reason to do so, and make sure to explain your legitimate interest to them in your email copy.

 

Opt-in vs. opt-out

With GDPR in force, customer consent needs to be obtained, normally via opt-in boxes to be ticked. Indeed, the clearest way to obtain consent is to ask customers to tick an opt-in box confirming they are happy to receive your cold emails.

However, bear in mind that pre-checked opt-ins are no longer considered clear consent given by customers. Like it or not, if an individual doesn’t say a clear “yes”, it means “no”.

Our advice here is to use double opt-ins, as they mean your prospects will have to confirm their email address before being added to your email list. Using double opt-ins in telemarketing is, in our opinion, the best way to ensure compliance with GDPR.

Once you received your customers’ consent, you’ll also need to provide them with a clear and easy opt-out option. Don’t forget that GDPR also states that customers can withdraw their consent at any time, and of course this applies to cold emails as well.

Whenever you send out your cold emails, make sure to insert an obvious opt-out box at the bottom of your email. Considering the consequences of breaching the new legislation, it’s better to play it safe, isn’t it?

Articles and entries on vcc.live/blog do not constitute legal advice. Should you have any legal questions, please contact your lawyer or legal advisor. VCC Live® will not take any responsibility or liability for any damages, disadvantages or losses that may arise from the results of any interpretation of the contents of the blog.

The final countdown to GDPR: here’s a checklist for call centers

Posted on: April 16th, 2018 by dorarapcsak No Comments

Everyone is talking about GDPR, the EU’s General Data Protection Regulation that comes into effect on 25th May this year. The new legislation will bring major changes to the business world, and call centers, which usually deal with a huge volume of data, are certainly no exception.

GDPR aims to strengthen data protection across the EU, while giving people more control over how organizations can use their personal data. It will also introduce heavy penalties for organizations that fail to comply with the new legislation. For more information, read our previous blog post on GDPR.

As the final countdown has already begun, the issue is more relevant and urgent than ever. Check out our GDPR checklist, and make sure your call center is playing by the rules.

1. Raise awareness of data protection in your organization

First things first: GDPR applies to everyone in your organization, so it’s best that everyone in your organization is made fully aware of the importance of the new legislation. Make sure to appoint a team to monitor and audit the process of GDPR implementation. This team should thoroughly review how your customer data is collected, stored and processed.

You may also need to appoint a Data Protection Officer to oversee the process. Amongst other things, the Data Protection Officer should be responsible for training and advising your employees on how to be ready for GDPR.

2. Understand the data you collect

GDPR determines how organizations must handle the personal data they collect and store. Bearing this in mind, the first step you should take is to try and understand what data you collect and why you’re collecting it.

For call centers, this is particularly relevant because stricter rules will apply regarding the recording and archiving of customer calls. Therefore, make sure to review and identify how your call center stores customer information. Before you initiate a thorough data track in your company, start by answering the following questions:

For what purpose do I collect customer information? Is the information stored within my organization or externally? Do I need to store all the information I collect? If not, how can I dispose of it in a way that meets GDPR requirements?

Using a number of tech solutions will allow you to easily keep track of the data stored within your organization. For example, Zapier is a great online automation tool to connect different applications. With Zapier, you can keep your data up-to-date, and even transfer it in real time (check out how)!

3. Always ask for customer consent

Call recording is a common call center practice. However, once GDPR comes into force, gone will be the days of carelessly recording customer calls.

For call centers, agents are often required to record customer calls for training purposes. However, after GDPR becomes effective, call center agents will need to specifically request permission from their customers to be able to record calls. Therefore, it is essential to ensure that your staff always pay special attention to obtaining consent from your customers.

4. Make sure customers can easily access their personal data

Under the new rules outlined by GDPR, customers will have the right to access any of their registered data in a structured digital format. Once your customer makes a request, your call center supervisors will have one month to fulfill it.

During the implementation process, make sure to ask yourself the following questions: Am I able to easily track the requested personal data? Are my call center supervisors able to fulfill the request within the given time period? What is the easiest way to fulfill the request?

If you don’t have the answers, then you need to work on your procedures.

5. Prepare for the right to be forgotten

With GDPR in force, companies will be required to remove customers’ personal data upon request without charging them. For this reason, you should have efficient procedures to track customer data, check what information they hold and where it came from. Implementing tech solutions will also allow you to easily delete the requested data.

6. Always notify your customers about data breaches

GDPR will require organizations to report data breaches to the relevant authorities and individuals affected within 72 hours. However, it is worth knowing that notification is not needed if the data breach does not negatively affect the customer in question, and it can be delayed if there are exceptional circumstances. With this in mind, make sure you have the appropriate measures to detect, report and investigate data breaches.

7. Make sure your providers are also GDPR ready

If you operate a call center, it is more than likely that you use external service providers to store and process the customer data you collect. Therefore, it is crucially important to keep in mind that compliance is your responsibility. Check carefully that the external service providers you use are 100% up-to-date and GDPR compliant.

It is a good idea to clearly define the general rules with your service providers at the very beginning, to make sure that everyone is perfectly aware of the shared responsibility.

8. Practice makes perfect

As they say, practice makes perfect. You successfully implemented GDPR in your organization and ensured your employees are up-to-date with the new procedures. Unfortunately, that doesn’t mean your work is done here.

Testing your procedures systematically is equally important. Make sure to evaluate customer calls to ensure your employees are successfully implementing the changes and properly communicating them to your customers. Turning this into regular practice will make all the difference.

Good luck with implementing GDPR in your organization. We’ll have another blog article in the next few days, so watch out for it!

Articles and entries on vcc.live/blog do not constitute legal advice. Should you have any legal questions, please contact your lawyer or legal advisor. VCC Live® will not take any responsibility or liability for any damages, disadvantages or losses that may arise from the results of any interpretation of the contents of the blog.