Data compliance standards and your live chat channel

The modern contact centre is a mine for customers’ personally identifiable information (PII). Every contact channel, every customer conversation, is a conduit for personal details. Enter data compliance standards.

All contact centres – no matter which industry, or which continent – must adhere to data privacy regulations on order to protect PII. But those regulations do vary from vertical to vertical, from country to country.

So, with that in mind, we’ve explored four major data compliance standards from around the world, and what they mean in terms of your live chat channel.

GDPR

GDPR is short for ‘General Data Protection Regulation’.

It applies to any organisation that handles personal data from the EU. In other words, if you have EU customers, business partners or deal with an EU citizen in any way, you must follow GDPR data compliance standards.

A core tenet of GDPR is transparency. It must be clear what data you’re collecting, what you intend to use it for and why, and how it is kept safe.

Additionally, you must delete data once its purpose of collection is fulfilled. GDPR also calls for active consent from those having their data collected — with the right to decline, request and withdraw their data.

What GDPR means for your chat

A live chat channel allows you to collect a wealth of consumer data. GDPR means you must obtain consent from consumers to collect and use this data. One way you could do this is with a check box in your pre-chat survey.

Your chat channel may also become a way for consumers to request their data from you, or request that you delete their data.

You also need to ensure the security of that data while it’s in your control. If you use an installable live chat offering, this means using tools like encryption and firewalls. For a cloud-based chat channel, the third-party provider should be in an EU-approved country, with high security practices.

HIPAA

HIPAA, or Health Insurance Portability and Accountability Act, is all about keeping patient data safe. This entry in the list of data compliance standards applies to those in the healthcare industry that use a live chat channel — whether it’s to interact with patients or healthcare professionals (HCPs)

HIPAA requires you to control employee access to protected health information. This means using unique user IDs, and ensuring that access is kept to the minimum amount necessary for each employee to do their job.

What HIPAA means for your chat

HIPAA data compliance standards mean that you need to closely control access to the patient data you collect through your chat channel. This means using features like role-based permissions and guarding against privilege creep.

HIPAA also requires you to ensure the ongoing availability of data. In terms of your chat channel, this means ensuring high uptime — to ensure the availability of your chat data. It also means having effective backup procedures in place, such as WhosOn’s data retention, for example.

If your chat channel is cloud-based, you must ensure the provider can support HIPAA compliance.

PCI DSS

The Payment Card Industry Data Security Standard, or PCI DSS, is all about keeping customer payment card data safe. This covers any personally identifiable information associated with cardholders.

This is one of the data compliance standards with a high emphasis on strong cybersecurity measures. For instance, the use of firewalls, passwords and anti-virus software. There’s also a need for regular updates to ensure the security of your software, regularly scanning and testing for vulnerabilities, and risk assessments.

You must encrypt the transmission of cardholder data, and control access to the data both virtually and physically.

What PCI DSS means for your chat

Sometimes, chatters send their card information over chat — and you need to keep that data safe under this data compliance standard. Another instance where you may need to consider PCI DSS is if customers can purchase through your chat channel.

It’s important to ensure that your chat channel encrypts chat messages — this ensures that any cardholder data is likewise encrypted. You also need to think about how the information will appear in chat transcripts — and who has access to that data. Be sure to regularly review agent access rights and permissions.

Some chat channels come with extra security features for sensitive data built-in. For example, WhosOn’s PCI /PII masking feature.

Read more: PCI masking: a feature dive

CCPA

The next of the data compliance standards is CCPA, the California Consumer Privacy Act. CCPA is a bit like GDPR. The differences are that it’s based in California, has a broader view of what constitutes private data, and doesn’t have the same requirements for reporting.

It allows any California consumer to demand to see all the information a company has about them — and a list of the third parties that information has been shared with.

Additionally, consumers must have the option to prevent their data from being shared with third parties. Businesses must disclose the collection and use of personal data, before or at the point of collection.

What CCPA means for your chat

This is another of the data compliance standards with a focus on securing private data. Its impact on your chat channel lies in identifying the data that the CCPA defines as private — and ensuring that you secure that data.

Under CCPA, your cloud-based live chat vendor would count as a ‘service provider’, rather than a ‘third party’. This means you are able to disclose chat data to your vendor for processing. However, it’s still important to ensure the security and privacy of that information.