Is your Contact Center Prepared for India’s New Data Privacy Law?

So, what does this mean for your organization’s contact center?

Call centers, being primary data collection points for organizations, handle a vast amount of personal data on a daily basis. Inadequate security measures at call centers expose them to the dangers of data breaches and privacy infringements. It is crucial for them to understand the types of data they handle and the potential consequences of mishandling or unauthorized access to this information. The thrust of the DPDPB Act is that consent is the king. There must be explicit consent and it must have a timeline. Every consent that you obtain from your customer should come with an expiry date and the timeline has to be mentioned. This article explores the key implications of the DPDPA on the call center industry and highlights the importance of consent, purpose, expiry, data handling practices, and security measures.

1. Ensuring Privacy: The Critical Role of Explicit Consent Under DPDPA

A new research that only 9% of Indian enterprises sought consent from users that was free, specific and informed. The study also found that only 41 out of 100 enterprise websites informed users about their rights to access, correct and erase their personal data. To tackle this challenge, this new law places a strong emphasis on obtaining explicit, informed, and time-bound consent from individuals whose data is being collected. They need to ensure that they have proper consent mechanisms in place before processing personal data.

For instance, when individuals contact a customer care center and hear the message “This call will be recorded for training purposes,” it is an example of seeking consent. Here, the call centers should clearly state the purpose of data collection, to whom the data will be shared, and how it will be used. They may further require you to state consent timelines. 

The DPDPA’s provisions apply uniformly to both voice and non-voice processes. Regardless of whether it’s a traditional phone call, a VoIP-based conversation, or a digital interaction such as web chat, email, or text messaging, these channels should clearly state the reasons for data collection and usage, share information about data recipients, and respect consent timelines.

Additionally, verifiable consent from a child’s parents or guardians is a must before collecting their data. The DPDP strictly prohibits practices such as closely monitoring or displaying personalized ads to children. The law also prevents the use of data that could harm a child’s well-being, emphasizing children’s privacy and safety as top priorities. 

2. Building Trust through Transparency: Stating the Purpose of Data Collection

When it comes to data collection, those responsible for gathering information carry the significant role of data fiduciaries. This role places paramount responsibility on them to protect data privacy and ensure transparent data disclosure. The fundamental questions surrounding data collection include

• What is the purpose of data collection?
• Who are the intended recipients?
• How will the processed data be used?

Data fiduciaries should clearly communicate these details, either through their website or on enrollment and registration forms, before customers are enlisted. This proactive approach establishes a foundation of trust by letting individuals know precisely why their data is being collected, who will have access to it, and how it will be utilized.

Another key aspect that needs to be looked into is third-party transfer. Call centers often outsource their customer data for processing through CRM, storage, analysis, and compliance-related issues. The PWC India survey also found that 43 per cent of organizations were found lacking in providing a well-defined purpose for which personal data was shared with third-party data processors. The DPDPA also addresses the issue of third-party transfers. Organizations sharing personal data with third-party processors must define a clear purpose for such data transfers. Data protection agreements should be in place, and third-party processors must ensure that the data is accessed only by authorized personnel for specific processing or analytical purposes. The new law not only lays the foundation for secure data sharing but also requires third-party entities to explicitly guarantee the confidentiality and privacy of data within their organization.

Additionally, the DPDPA grants the Central Government the authority to control the transfer of personal data by a data fiduciary to specific countries or territories outside of India. Essentially, unless a country is listed in the negative list published by the Central Government, personal data can be transferred without restrictions.

3. Consent Clarity: Understanding the Timeframe and Expiry

The law also states that there must be explicit consent from the user and the consent must have a time period of time. Every consent that you are obtaining from your customer has got an expiry and the timeline also needs to be mentioned. 

When your car is at the service station, the service provider may contact you until the service is completed. Similarly, if you’re a patient or their attendant, healthcare services can reach out to provide updates and share reports on the patient’s health. However, once the patient is discharged, they cannot continue contacting you unless you have specifically requested them to do so. This exemplifies the significance of consent expiration – it ensures that your consent remains in effect only for the agreed-upon purpose and timeframe.

Even with ISO 27001 and 27701 certifications, data within a company remains restricted, and robust access control measures are enforced. Similarly, corporate SOC2 and PCI DSS compliance operate on a strict “need to know” basis, meaning that information is shared only with individuals who require it for their roles. Access is carefully limited to maintain data security, and when someone leaves a function, their access to data is promptly revoked. Access control has to be maintained very tightly.

In the future, the government might implement a system to automatically document consent, its designated purpose, and, upon the conclusion of the consent period, have service providers automatically included in the “Do Not Disturb” (DND) list, preventing further contact.

Organizations handling significant amounts of user data will be required to appoint Data Protection Officers. To oversee compliance, call centers should also be required to undergo regular data audits by independent auditors appointed by the Data Protection Board.