Governance, Risk Management, and Compliance
In this blog, we’re going to talk about a specialized area of business where STT can offer a lot of support: Governance, Risk Management and Compliance, or GRC.
All three of these pieces are slightly different. Governance is the combination of processes that come from the highest levels of an organization, and are reflected in its structure and how it’s managed. Risk management is all about predicting and managing risks that could get in the way of the business achieving its goals. Compliance means keeping within both imposed or mandatory boundaries, such as laws and regulations, and boundaries that a company voluntarily puts in place, such as internal policies and procedures. The reason for combining them is that it’s just more efficient! Governance, risk management, and compliance all target similar areas of the business, and generate information that the other two pieces could make use of. Keeping them separate leads to a lot of duplicated effort.
There are some key GRC concepts which are relevant for STT. One such concept is redaction. In most companies, calls between agents and customers will involve some sort of important information which needs to be kept concealed. Examples include Social Security numbers, bank account details, or home addresses. Speech transcription software can be created to automatically remove -- or redact -- this sort of information from a transcript, keeping it protected appropriately.
One type of information that needs to be redacted is referred to as PII or Personally Identifiable Information. This is any information that identifies something sensitive or important about a person. Health data is a great example. Information about your health status and history can reveal things that really should be kept between you and your healthcare provider. This is one of the reasons why HIPAA, the Health Insurance Portability and Accountability Act, was put in place. It ensures that personal health information is handled properly in many ways, including when stored during transcription.
GDPR, the General Data Protection Regulation, is another important piece of legislation governing the use of sensitive information, including PII. Although the General Data Protection Regulation is a product of the European Union, it affects those outside of the European Union as well, because any company processing EU citizens’ data must comply with the new regulations.
Basically, GDPR says that EU citizens hold complete authority over their personal data. So if they wish for you to delete their data, or provide them with the data your company stores on them, you must agree. So, if an EU citizen has given their data to a business, but later decides that this was a bad decision and wants it back, the business is legally required to comply.
You also have to have an identified data security officer, and have defined processes in place to govern how data is managed. Under these new regulations, information breaches can cost your company up to 4% of its revenue, so it’s definitely worth keeping in compliance!
Along similar lines, the Payment Card Industry, or PCI, has put in place a general security standard (the Payment Card Industry Data Security Standard, or PCI DSS) that providers handling payment card data -- such as credit card information -- need to comply with. The purpose here is to protect stored credit card information, by ensuring companies keep several layers of data protection in place if storing credit card information. This global standard has a lot of requirements, and one key requirement is ensuring that cardholder data, such as card numbers and expiry dates, are only stored in an encrypted or truncated form. Automatic redaction during the transcription process is a crucial method for ensuring that companies stay PCI compliant.
Those are some of the key terms that you will encounter when considering GRC in the context of STT. I’m sure there will be lots of new terms that need explaining soon, so stay tuned for Part 7!
This blog is part of a series!