The privacy authorities are calling. Is your call centre data GDPR and CCPA compliant?

by | Nov 12, 2019 | Anonymization, CCPA, Data Breach, Privacy blog

Every time someone calls your call centre, the conversation is recorded and transcribed into free-text data. This provides your business with a wealth of valuable data to derive insights from. The problem is, the way you are using the data today violates privacy regulations and puts you at risk of nine-figure fines and reputational damage.

Call centres often record and manage extremely sensitive data. For example, at a bank, a customer will provide their name, account number, and the answer to a security question (such as their mother’s maiden name). At a wealth management office, someone may call in and talk about their divorce proceedings. This information is not only incredibly personal, but using it for additional purposes without consent is against the law.

Data is transcribed for training purposes. However, the data is often repurposed. Businesses rely on this data for everything from upselling to avoiding customer churn – not to mention the revenue some earn from selling data. 

But under GDPR, data cannot be used for additional purposes without the explicit consent of the data subject.  To comply with privacy regulations, when data science and analytics are performed on the transcripts, a business must first inform and ask permission for each and every instance of use. 

Every time a business asks for permission, they risk requests for data deletion and denials of use that render the transcripts useless. This is because people do not want their data to be exposed, let alone be used to monitor their behaviour.

However, this does not mean all your transcript data is null and void. Why? Because by anonymizing data, you can protect customer privacy and take data out-of-scope from privacy regulations.

In other words, if you anonymize your call centre data, you can use the transcripts for any purpose.

However, anonymization of this kind of data is more complicated than applying traditional methods of privacy protection, like masking and tokenization. Audio transcripts are unstructured, and so using traditional anonymization methods render the data unusable. 

If you use improperly anonymized transcript data for additional purposes, without consent, you will be found in violation of GDPR. This means your business can be fined up to 4% of your revenue. Mistaking partially protected data as anonymized, or hoping manual approaches to de-identification will work, is not legally acceptable. Just ask Google how that turned out for them.

To avoid this, businesses must utilize systematic privacy assessments that quantify the re-identification risk score of their data and establish automated privacy protection based on a predetermined risk threshold. With this, businesses can be certain of the anonymization of their transcripts and perform secondary actions without risking GDPR non-compliance.

State-of-the-art technologies will also enable businesses to measure and reduce the impact of privacy protection on the analytical value of data.

Call centre transcripts are a rich source of customer data that can generate valuable business insights. But blindly using this information can cost your business millions. Use an advanced privacy protection solution to anonymize your transcripts while retaining the analytical value. 

Join our newletter