You are here
Data protection by design cornerstone of market research firm's PDPA compliance
· Being a people-oriented business, the key challenges for Joshua Research Consultants have been to manage internal stakeholders’ mindsets and behaviours, and the public’s perception towards market research.
· Call centre designed with data protection in mind
· Ground-up approach to understanding and strengthening data protection measures for office and call centre processes
· Stricter policies for call centre agents, improved physical security measures and an internal do-not-call list
· Upgrading of IT systems and hardware to support enhanced SOPs
· Internal stakeholder buy-in for new policies
· Strengthened client confidence in its service offerings
· Increased business opportunities
FOR the longest time, market research firms have found it a challenge to solicit responses through telephone surveys. While technology has aided telephone research through advances such as computer-assisted telephone interviewing, answering machines and caller identification have contributed to declines in response rates. This was not helped by the launch of the Do Not Call (DNC) Registry in Singapore in January 2014.
The intent of the DNC Registry is to minimise unsolicited telemarketing messages for individuals who opt in. It does not cover messages that do not contain any element of marketing, such as market research and opinion polling, among other exclusions in the Personal Data Protection Act (PDPA). These exclusions were formulated to help organisations carry out their non-marketing operations smoothly.
However, the difference between these exclusions and telemarketing messages is not always clear-cut. While the Personal Data Protection Commission (PDPC) had set out to educate members of the public on the exceptions to the DNC provisions through advertising and outreach, some continued to have a negative impression of telephone surveys.
Mr Alan Tay, Managing Director and data protection officer for Joshua Research Consultants (JRC), observes that the instinctive reaction from the public has been to reject such calls altogether, resulting in lower response rates to surveys and research programmes, hence affecting overall statistical data.
To alleviate this problem, the JRC call centre team is put through rigorous training to equip them with the skills set to deal with public perceptions.
“Being able to assure the public that we are conducting market research surveys and that we are not selling anything has helped us with our survey response rates,” says Mr Tay.
JRC provides market research services and data collection to clients in the Asia Pacific region and has offices in Singapore, Malaysia and China. Its Singapore headquarters employs 15 full-time staff and approximately 150 part-time staff in its call centre and for street surveys.
DATA PROTECTION BY DESIGN
In the burgeoning era of the Internet, information security has become all the more important. This is why JRC had embarked on data protection for its call centre even before the PDPA came into full force in July 2014.
According to Mr Tay, JRC had designed its call centre with data protection in mind – the facility is located in a unit separate from the main office and is only accessible to management and call centre agents. Furthermore, entry into the call centre is constantly logged through the use of access cards.
The space is also segregated into multiple soundproof rooms so that personal data is not inadvertently disclosed.
Technology-wise, JRC segregates its local area network (LAN) and WIFI systems to reduce the possibility of an unauthorised external party tapping into the WIFI to access the corporate network.
Another security precaution is the use of tablets for street surveys. Surveys in paper forms may easily be misplaced, leading to the loss of personal data. By using information technology (IT) as a solution, it has brought about better productivity and introduced a more secure way of handling personal data that JRC collects. “Should a tablet be lost or misplaced, we are also able to erase the contents remotely to minimise any leak of personal data,” Mr Tay adds.
JRC also enhanced its standard operating procedures (SOPs) relating to its IT processes and systems, which among others entail stronger password policies for all devices, regular asset management, and tighter access control.
Mr Tay acknowledges that the SOPs relating to the call centres might have been fluid in the early days. He recalls an incident in another country where a call centre agent had retained an interviewee’s telephone number for his own use.
To ensure that a similar situation does not arise, JRC now makes it mandatory for call centre agents to leave their belongings in a locker. This applies to all items, including mobile phones. All materials necessary for them to carry out their tasks, including writing paper, will be issued by JRC.
At the end of their shifts, the agents must surrender their writing paper – complete with notes that they might have taken down – for shredding. The paper is collected, shredded and disposed of regularly by a professional shredding contractor.
“The PDPA has given us ground to implement even stricter measures because the implications of non-compliance are too severe to ignore,” he says.
The stricter measures imposed on call centre agents, especially the prohibition of mobile phones in the call centre rooms, met with initial resistance, but dedicated training and information sharing on PDPA requirements have enabled Mr Tay to change their mindsets and behaviours.
Mr Tay says the time and effort invested to engage staff in discussions about the PDPA, its implications and the new processes that had to be implemented within the organisation were well-spent. “Previously, they complained a lot about the restrictions imposed on them, but now they express understanding.”
WEIGHING THE COSTS
JRC undertook the development and implementation of data protection policies in-house, adopting a ground-up approach. “When we embarked on this exercise, we felt that it should not be a top-down approach as that is usually met with high resistance. Internal stakeholders, such as staff members, should take some ownership.”
He reckons that he and his team spent a total of eight months researching, discussing and developing improved data protection policies and practices for the company. There were also open discussions with full-time staff members.
Other costs of compliance relate to the IT enhancements and staff training, as well as man-hours put into issues management.
“We take issues management very seriously,” Mr Tay says. “There was a gentleman whose name and contact details happened to be on two of our projects’ databases, each belonging to a different client. He had told the first call centre agent to remove his name from the call list, but we didn’t know then that he was on the other database as well. So, when he received another call from us, he was annoyed! It took us three weeks to investigate and settle the matter, but it was important that we did.”
To prevent the same issue from arising, JRC created its own do-not-call list which identifies recipients who have opted out of participating in market research surveys. The list will be run through before every new project to ensure that the recipients’ numbers are omitted from the project.
Weighing in on the time and effort spent, Mr Tay says, “It is all worthwhile. Many of our clients are MNCs and large corporations so they demand very high standards. We are delivering to those standards, which has opened up greater business opportunities for us. Our clients and stakeholders have more confidence in us now.”