Navigating global regulations to enhance BPO data governance
As governments focus on protecting personal data, various legislations have been enacted globally.
In Europe, the General Data Protection Regulation (GDPR) is in effect, South Africa enforces the Protection of Personal Information Act (POPIA), and the USA has the California Consumer Privacy Act (CCPA) along with other similar state laws.
Certain industries are also governed by specific laws, such as HIPAA for health insurance and PCI-DSS for payment card industry.
Given the sector's nature, BPO companies handle multiple clients across various legal territories, navigating complex regulatory landscapes and diverse client data.
Managing cross-border transfers and ensuring data minimalism – collecting only necessary information – are crucial.
BPOs should challenge excessive data practices, ensure compliance, and be vigilant about non-compliance from clients or vendors.
Staying abreast of best practices
Good practices are essential to make sure that regulatory requirements are adhered to in every instance.
The importance of obtaining explicit consent from data owners before using their data cannot be overstated, and it goes without saying that data collected for one purpose should not be used for any other purpose without explicit consent.
It is also of critical importance that companies stay abreast of current regulations. This is a fast-moving landscape, and it is all too easy for a company to come unstuck because they don’t keep track of regulations.
GDPR is an example of a good framework to follow, as it covers a wide range of data protection principles, including lawfulness, fairness, transparency, purpose limitation data minimisation, accuracy, storage limitations and confidentiality.
And although it is an EU regulation, it has global impact, because it applies to any organisation processing the personal data of EU citizens regardless of where the organisation is based.
These elements make GDPR a robust framework that promotes best practices in governance.
AI tools add complexity
Of course, a conversation about data governance cannot ignore the impact of AI.
This technology is enabling people to execute activities at an extremely accelerated pace because it’s now possible to replicate and learn tasks very quickly.
AI tools are also running behind the applications BPO operators run every day, such as knowledge databases.
The convenience of these tools means that they are proliferating in the workplace, but the counterpoint to this appetite for convenience is the risk that comes with potentially inputting proprietary company and/or client information into an AI tool that uses that information for training its datasets.
BPO operators must actively manage these risks while acknowledging and embracing the convenience they offer to agents.
Here, it’s valid to argue that BPO companies are best served by building their own Large Language Models (LLMs) to deploy for clients, trained on their own data, in some instances using on-premise rather than cloud storage.
This has the massive advantage of creating an isolated environment that provides peace of mind and security to clients while still providing the benefits of AI tools and access to an LLM-powered knowledge base for the agents who are tasked with dealing with customer queries.
Having recognised early on that there would be a significant challenge with AI tools and LLMs, CCI has had great success with developing bespoke models that offer clients the advantages of AI while mitigating the risks of inappropriate data usage.
Good practices are key for data protection
It is critically important for BPO organisations to maintain foundational controls and good governance practices in the face of new technologies and an evolving threat landscape.
Accountability and responsibility must be shared by all employees to manage risk and ensure data security.
Ongoing security awareness training for BPO employees to highlight potential threats is a cornerstone of fostering a company-wide culture of data responsibility.
Without this culture of responsibility, even the strongest set of data protections can be compromised by the unwitting actions of an employee.
The final piece of the puzzle is C-suite support for cross-company awareness and training.
When CIOs and CTOs have the support of the executive team, with alignment on the necessary data security measures, the security posture of the organisation as a whole is strengthened.
There is no question that data protection and cybersecurity best practices have a bottom-line implication, but the reputational cost of a breach or loss of data is immeasurably more damaging and potentially costly.
The job is never done
By following practices that include strong access controls, implementing regular audits and monitoring, ensuring continuous compliance with data regulation, and regularly training employees on data security best practices, BPO companies can significantly reduce the risk of data breaches and ensure the security of sensitive customer data.
The path to enhanced security and trust is paved with continuous vigilance, compliance, and a commitment to best practices, ensuring that client and customer data remains secure at every turn.
Effective data governance in the BPO sector is not merely a regulatory requirement but a crucial factor in building and maintaining trust with clients.
By proactively addressing the challenges posed by an evolving digital landscape and putting robust data protection mechanisms in place, BPO companies can not only safeguard sensitive information but also enhance their reputation and competitive edge in the market.
About Christopher Lawson, Cobus Pretorius and Niko Mastropaolo
Christopher Lawson, Managing Executive: Risk, Compliance, Business Resilience and Information Privacy at CCI South Africa, Cobus Pretorius, Chief Technology Officer at CCI South Africa and Niko Mastropaolo, Group Chief Information Security Officer at CCI Ireland.
