By Christopher Lawson, Managing Executive: Risk, Compliance, Business Resilience and Information Privacy at CCI South Africa, Cobus Pretorius, Chief Technology Officer at CCI South Africa and Niko Mastropaolo, Group Chief Information Security Officer at CCI Ireland.

As the custodians of vast amounts of sensitive customer information, companies globally face increasing scrutiny over their data governance practices and with good reason. “Data is the new oil.” It’s a cliché, but it’s accurate.

With its customer-centric business model and multi-territory, multi-industry sector client base, the Business Process Outsourcing (BPO) sector faces unique challenges in developing secure environments that create trust between service providers and their clients, while facing increasing scrutiny and regulation of their data governance practices.

A complex combination of territories and regulations

As governments have turned a lens towards protecting the personal data of their citizens, and the responsibilities that organisations have towards their customers’ and clients’ personal information, a host of legislation has been enacted to this end.

In Europe, the General Data Protection Regulation (GDPR) law is in effect, in South Africa the Protection of Personal Information Act (POPIA) holds sway, while in the USA, the California Consumer Privacy Act (CCPA) gives consumers more control over the personal information that businesses collect about them, and other states have similar legislative requirements in place or in progress. Certain industries have further governing legislation, for example, the health insurance industry is governed by HIPAA, the Health Insurance Accountability and Portability Act and the payment card industry is governed by PCI-DSS, the Payment Card Industry Data Security Standard.

By the very nature of the sector, BPO companies deal with multiple clients in multiple sectors at any one time, with a client and customer base that likely spans across multiple legal and regulatory territories. These companies face a complex task of managing data, including cross-border data transfers, varying regulatory and legislative landscapes, and the complexity of handling diverse client data. Alongside this regulatory overlay, each BPO client has a different set of business requirements, making it necessary to tailor data governance to client specifications.

In this regard, the principle of minimalism applies in data collection – companies should collect only the minimum amount of data necessary to fulfil the explicit purpose of their customer interaction, thereby avoiding unnecessary data collection to reduce the burden of securing and managing it. BPO operators should also feel comfortable challenging clients who provide excessive data and ensure that only necessary data is collected and retained, and must also be alert to non-compliance or less rigid adherence to best practices by clients or upstream and downstream vendors, as these too could have implications for the BPO operator.

Staying abreast of best practices

Good practices are essential to make sure that regulatory requirements are adhered to in every instance. The importance of obtaining explicit consent from data owners before using their data cannot be overstated, and it goes without saying that data collected for one purpose should not be used for any other purpose without explicit consent.

It is also of critical importance that companies stay abreast of current regulations. This is a fast-moving landscape, and it is all too easy for a company to come unstuck because they don’t keep track of regulations. GDPR is an example of a good framework to follow, as it covers a wide range of data protection principles, including lawfulness, fairness, transparency, purpose limitation data minimisation, accuracy, storage limitations and confidentiality.

And although it is an EU regulation, it has global impact, because it applies to any organisation processing the personal data of EU citizens regardless of where the organisation is based. These elements make GDPR a robust framework that promotes best practices in governance.

AI tools add complexity

Of course, a conversation about data governance cannot ignore the impact of AI. This technology is enabling people to execute activities at an extremely accelerated pace because it’s now possible to replicate and learn tasks very quickly. AI tools are also running behind the applications BPO operators run every day, such as knowledge databases. The convenience of these tools means that they are proliferating in the workplace, but the counterpoint to this appetite for convenience is the risk that comes with potentially inputting proprietary company and/or client information into an AI tool that uses that information for training its datasets.

BPO operators must actively manage these risks while acknowledging and embracing the convenience they offer to agents. Here, it’s valid to argue that BPO companies are best served by building their own Large Language Models (LLMs) to deploy for clients, trained on their own data, in some instances using on-premise rather than cloud storage. This has the massive advantage of creating an isolated environment that provides peace of mind and security to clients while still providing the benefits of AI tools and access to an LLM-powered knowledge base for the agents who are tasked with dealing with customer queries. Having recognised early on that there would be a significant challenge with AI tools and LLMs, CCI has had great success with developing bespoke models that offer clients the advantages of AI while mitigating the risks of inappropriate data usage.

Good practices are key for data protection

It is critically important for BPO organisations to maintain foundational controls and good governance practices in the face of new technologies and an evolving threat landscape. Accountability and responsibility must be shared by all employees to manage risk and ensure data security.

Ongoing security awareness training for BPO employees to highlight potential threats is a cornerstone of fostering a company-wide culture of data responsibility. Without this culture of responsibility, even the strongest set of data protections can be compromised by the unwitting actions of an employee.

The final piece of the puzzle is C-suite support for cross-company awareness and training. When CIOs and CTOs have the support of the executive team, with alignment on the necessary data security measures, the security posture of the organisation as a whole is strengthened. There is no question that data protection and cybersecurity best practices have a bottom-line implication, but the reputational cost of a breach or loss of data is immeasurably more damaging and potentially costly.

The job is never done

By following practices that include strong access controls, implementing regular audits and monitoring, ensuring continuous compliance with data regulations such as GDPR, POPIA, HIPAA, CCPA and PCI-DSS, and regularly training employees on data security best practices, BPO companies can significantly reduce the risk of data breaches and ensure the security of sensitive customer data.

The path to enhanced security and trust is paved with continuous vigilance, compliance, and a commitment to best practices, ensuring that client and customer data remains secure at every turn. Effective data governance in the BPO sector is not merely a regulatory requirement but a crucial factor in building and maintaining trust with clients.

By proactively addressing the challenges posed by an evolving digital landscape and putting robust data protection mechanisms in place, BPO companies can not only safeguard sensitive information but also enhance their reputation and competitive edge in the market.