Martech security and compliance is a subject that’s right up there with scraping paint and sorting socks. Yes, it’s boring and tedious, but unlike mismatching your socks, doing it wrong might get you fired. So bear with us and we’ll try to make learning about the latest digital information security and compliance rules that marketers need to know as painless as possible. Then you can get back to your sock drawer.
It seems like you’re confronted with a new and confusing compliance standard every other week. New acronyms like GDPR and SOC and HIPAA can be confounding and nerve-wracking for everyone from marketing to IT as you scramble to figure them out and get compliant. The pool of anxiety that wells up inside of you comes from the hefty fines for non-compliance and the potential of driving away customers if you’re not meeting them.
According to recent findings by Ponemon Institute and GlobalScape, non-compliance now can cost a business anywhere from $2.2 million to $39.2 million, with penalties rising 45% since 2011. With such large amounts of money at risk — and potential negative headlines in the press — investing in privacy, security, and compliance is not exactly an option.
Since most marketers are about as good at cybersecurity as they are at Ruby on Rails, we’ve put together this primer on the four major global consumer privacy standards that you need to know about — GDPR, SOC, HIPAA, and PCI DSS — and how they might impact your call tracking and analytics solution. We’ll get through this without making your eyes bleed, I promise.
The four security and data privacy standards that marketers most frequently need to concern themselves with are GDPR, SOC, HIPAA, and PCI DSS. To help keep your head on straight, we’ll review each one in plain English to help you understand them and make you seem way smarter when you hang out with the IT crowd.
The General Data Protection Regulation (GDPR) went into effect in May 2018 and is the primary law regulating how companies protect the personal data of EU citizens. With it, consumers now have the right to access and modify their data held by companies. Also, it helped to put mechanisms in place so that a person can request to have their personal data deleted by a company or opt-out from having their personal data collected in the first place. It may seem like yet another pain in your rump, but GDPR actually helped create a single set of rules throughout the EU to make compliance simpler.
The reason it has been such a hot topic is due to its comprehensiveness: GDPR has a very broad definition of “personal data” and that means many companies are impacted by its policies. Under GDPR, personal data covers personally-identifiable information such as name, address, and date of birth. But it goes further to include IP address, genetic data, and biometric data — items that historically hadn’t been classified in this manner.
The standard applies to any business that holds data belonging to individuals within the EU. This means that even though you might not directly have a footprint there, if one of your clients is doing business in the EU, then you must follow the policies outlined in GDPR. Womp womp.
Since so many companies are impacted by this compliance standard, it’s table stakes for call tracking providers to meet its guidelines. Invoca is compliant with all GDPR standards. If you come across any marketing technology that isn’t GDPR compliant, just stay far, far away from them.
Service Organization Control or SOC (pronounced “sock”, and equally as exciting!) is another compliance standard that you’ve probably heard your technology partners bring up right before your eyes glossed over and you stopped listening. To put it simply, SOC is a set of reports that detail the systems and processes that a company has in place to regulate and protect customer data.
There are three types of SOC compliance, each one serving a specific purpose:
SOC 1 definition: SOC 1 is focused on a service organization’s controls that are likely to be relevant to an audit of a customer’s financial statements.
SOC 2 definition: SOC 2 is focused on a service organization’s controls that relate to operations and compliance concerning availability, security, processing integrity, confidentiality, and privacy.
SOC 3 definition: focuses on a service organization’s internal controls for security, availability, processing integrity, confidentiality, or privacy.
To assure that this is as complicated as possible, there are also two different “types” that are added on to each SOC compliance standard, e.g. SOC 2 Type 1 or SOC 2 Type 2. Here’s what it boils down to:
SOC Type 1 means that the company did a self-assessment to determine if they meet the specified SOC compliance standard at that specific point in time.
SOC Type 2 means that a SOC-certified third-party auditor has been used to assure compliance over a minimum six-month period.
I like to compare this to buying a used car off Craigslist where the owner attests that it “runs great” versus a certified pre-owned vehicle that has received the 160-point inspection at the dealership and comes with a warranty. The Craigslist car could be fine, or you could end up being stuck with a heap. The certified one gives you more assurance of its quality and recourse if it’s not up to snuff.
When evaluating call tracking providers, you should check if they’re SOC 2 Type 1 or SOC 2 Type 2 compliant. Then, be sure to ask what features of their product offering are in the scope of that compliance. Many call tracking providers have gone the route of scoping SOC compliance to a particular portion of their product offering to be able to say they meet the standard. This means that you may not be able to use all the available features and still be compliant. Invoca is SOC 2 Type 2 compliant with all available features enabled in all use cases.
If you live in the financial services world, then you’re no doubt familiar with the Payment Card Industry Data Security Standard (PCI DSS). Since you’re in marketing, we’ll define it. PCI DSS is a set of security standards that's designed to ensure that companies who accept, process, store, or transmit credit card information — AKA anyone who sells anything, AKA you — maintain a secure environment for that data. Even though it was made specifically with the financial services industry in mind, it has a wider reach because it includes any organizations that handle credit card information at some point in the customer transaction journey.
It mandates that a company must meet requirements in the following six groups:
There are two ways for a company to determine if they meet the requirements — completing a self-assessment questionnaire or by having PCI-approved auditors perform the evaluation. The self-assessment questionnaire only means that you have the right things in place to meet the requirements, while the formal audit process is the only way for a company to become officially certified.
While call tracking providers do not directly handle payment processing, PCI DSS compliance may be required for call tracking users who process payments over the phone. This is because some call analytics features will record and/or transcribe calls and therefore potentially record sensitive customer data.
Invoca has gone through the formal audit and is certified in the PCI DSS standards with all call analytics features, including Signal AI, enabled. We’re able to accomplish this with automatic redaction technology that permanently removes data such as credit card number, credit card security code, social security number, and billing address from call recordings and transcripts. Once the information is redacted, nobody can access it on the user or provider side.
Some call tracking providers may require you to turn off critical call analytics features because they use call recordings and transcriptions but do not have PCI DSS-compliant redaction capabilities. Furthermore, they may not be able to redact the type of information that your business deals with. Be sure to examine this closely when choosing a call tracking provider and make sure their route to PCI compliance meets your call analytics needs.
Last, but certainly not least, there is the Health Insurance Portability and Accountability Act or HIPAA. This standard only applies to U.S. healthcare marketers and their agencies, so if you’re not in healthcare, you can skip to the bottom.
HIPAA was instituted to provide data privacy and security provisions for safeguarding the medical information of individuals. Specifically, it regulates the use and transfer of medical information in four areas:
It requires that healthcare companies and their business associates (e.g., vendors, agencies, technology providers, etc.) enter into contracts known as Business Associate Agreements (BAAs) to ensure that those business associates will adequately safeguard protected health information (PHI).
There is no formal certification process for HIPAA and it relies mainly on self-attestation that a company is HIPAA compliant. The BAAs are put in place to give some legal teeth to liability and accountability that the requirements of the standard will be upheld by all parties involved.
Due to the prevalence of HIPAA and the necessity of the BAA, most call tracking providers, including Invoca, meet this standard and will work with you to ensure that they are appropriately working in accordance with the BAA that you have put in place, so there aren’t any real “gotchas” for being HIPAA compliant that you need to watch out for.
Now that you have a better high-level understanding of what the four significant privacy, security, and compliance standards are, you might still be asking yourself, “but, why does this matter to me?” First, if you are a part of the martech selection process, your security team is going to ask you about this stuff and you’ll want to know the answers. Second, you need to be skeptical of the ways that vendors achieve compliance: is it a workaround that limits functionality, or are they really fully compliant? If it is a workaround, you may find yourself operating with one hand tied behind your back.
At Invoca, we believe that compliance is a necessity, not a luxury, and we don’t do workarounds. We believe in compliance without compromise. You shouldn’t have to choose between the data you need and the compliance standards you need to meet, and with Invoca, you don’t have to make that choice.
Get the Call Tracking Study Guide for Marketers to learn everything you need to know about Invoca. You can now skip the section on security, too.