Companies Contact Centers or customer services departments in many cases have not implemented the much needed procedures regarding the security of one of their most valuable assets, their client´s information.
Information is collected daily when servicing the customer and it usually includes personal data of some kind (phone number, health condition, address, bank details, etc…). Companies are required to pay special attention and comply with various regulations put in place to protect personal data stored for both their customers and third parties.
The following are security measures that must be taken into account (depending on the type of data processed), that affect these services:
- Keep incident records – where is kept the record of the affected personal data, lost or damaged and the corrective measures.
- Access control – only authorized users will access the personal information of the company. Mechanisms should be established to prevent a user from accessing resources other than those authorized.
- Media Management – in addition to the input /output automated support information records every time the company disposes of any media containing personal data must proceed to its destruction or erasure, by taking measures to prevent access to the information contained in the same or subsequent recovery.
- Identification and authentication – through mechanisms that allow unambiguous and personalized identification of any user who tries to access the information system. When the authentication mechanism is based on the existence of passwords there should be a process of allocation, distribution and storage to ensure their confidentiality and integrity.
- Backup and recovery – back-up systems.
- Control physical access – to data centers and server rooms where they reside.
- Media distribution – the distribution of the supports is done encoding the data or using another mechanism to ensure that such information is not accessible or manipulated in transit.
- Access record – from each access attempt it will be saved at least the user ID, the date and time that was done, the file that has been accessed, the type of access and whether it has been approved or denied. The mechanisms that allow the access log will be under the direct control of security to be competent not allowing deactivation or manipulation. The minimum storage period of recorded data shall be two years (for high-level data such as health, religion, union membership, etc…)
- Telecommunications Systems – when high level security measures should be implemented, the transmission of personal data via public networks or electronic communications wireless networks is done encoding the data or using any other mechanism to ensure that the information is not is intelligible or manipulated by others.
This legal obligation applies not only to Spanish companies, but also to those with headquarters or branch in Spain. In fact, the sanctions imposed on companies in recent years by the Spanish Agency for Data Protection ranged from 900€ to 300.000€ (mild-severe) for each violation consisting of not complying with established security measures.
Therefore, and as a recommendation from the average level of data, information systems and treatment facilities, and data storage must be submitted at least every two years, to an internal or external audit to verify compliance with Safety Regulations Data Protection.
It is also recommended to implement those procedures, policies, document security and internal guides to facilitate the proper management of personal information, as mentioned above. Otherwise, the company will be neglecting the personal information of our customers, which not only involves the AEPD sanctions mentioned but also a major reputation damage to the company and a high vulnerability to hackers and phreaks.