The hidden compliance risk inside everyday support conversations

Written By Florian Baptiste

Everyday support conversations are now a real compliance risk

Customer support channels used to feel relatively safe. Today they sit at the front line of GDPR exposure.

Across three recent audits completed through Isara, conversations that looked routine at first glance contained repeated examples of sensitive personal and financial data. In some teams, as many as 10 percent of conversations contained at least one clear compliance risk.

For leaders in customer support and customer success, this is no longer a theoretical concern. It is a concrete operational risk that shows up in chat, email, and ticket threads every single day. Isara was designed to give those leaders visibility into these patterns before they turn into formal incidents.

What we saw inside real support conversations

Although the three audited companies work in different segments, the underlying patterns were strikingly similar.

Across them, between 3 percent and 10 percent of recent support conversations contained at least one clear compliance issue. That gap alone shows why leaders need monitoring. In one team, the risk is rare but persistent. In another, almost one conversation in ten has something that a regulator would want to see fixed.

The most common issues fell into three categories.

1. Sensitive personal and financial data shared in plain text

In many conversations, agents or users shared details such as:

• Full names and full home addresses

• Specific loan or account numbers

• Full dates of birth

• Refund amounts and check or payment references

In most of these cases, none of that information was actually required to progress the support request. It was shared out of habit, convenience, or because templates encouraged it.

This cuts directly across the principle of data minimisation, which requires organisations to collect only what is necessary and avoid excessive personal information. Recent guidance aimed at employers and service providers has emphasised this point and warns against gathering information that is not directly relevant to the stated purpose. 

The same messages also conflict with the security principle in GDPR, which expects organisations to keep personal data secure and limit exposure through routine operational channels. 

2. Repeated use of high risk identifiers in normal support threads

In a significant number of conversations, high risk identifiers such as loan or account numbers and complete dates of birth were sent back and forth in normal support messages without any extra protection.

When high risk identifiers travel repeatedly through unencrypted or lightly protected channels, the risk profile changes. Any compromise of a mailbox, a shared inbox, or a chat provider immediately exposes data that can be linked to an identifiable individual.

Regulators and specialist advisors have repeatedly pointed out that email and similar channels remain a leading source of GDPR breaches, especially when used for sensitive content without adequate safeguards. 

Isara surfaces these repeated patterns so that leaders can see not just isolated mistakes but structural habits inside their teams.

3. Data erasure requests that do not receive structured follow up

In one of the audits, a user asked for their account to be deleted. This kind of message activates Article 17 rights and starts a legal countdown for the organisation.

The real risk was not that the request existed. The risk was that it appeared in a support thread with no visible workflow behind it. There was no clear indication that the ticket had been routed to the correct owner, no confirmation to the user, and no evidence that the conversation itself would be handled according to erasure rules.

This is exactly the kind of support situation that can turn into a regulatory complaint later.

Isara can flag these erasure related requests in real time, so teams can route them to the correct process, confirm completion, and report on volume over time.

Why this matters more in 2025

The wider regulatory environment is not standing still.

• New guidance for UK organisations under the Data Use and Access Act has underlined that changes to data protection and privacy rules will be phased in between 2025 and 2026, with further updates expected from the regulator. 

• Recent breach roundups show that tens of millions of records continue to be exposed each year, often through operational systems such as customer service tools and analytics platforms. 

• The DeepSeek incident and other exposed chat logs in early 2025 highlighted how much sensitive content can sit in conversational data sets, including financial and family details, once they are breached. 

In this context, support and success conversations cannot be treated as a low risk corner of your compliance posture. Isara treats them as a live, high value signal that needs continuous oversight.

From random spot checks to continuous compliance intelligence

Most leaders already know they need better control of sensitive data. The question is how to achieve that without slowing down service.

The audits behind this article suggest a practical way forward. Instead of relying on annual reviews or manual spot checks, treat your support conversations as a streaming data source and build a simple compliance model around them.

Here is a three layer model that reflects what we saw in the data.

Layer 1: Volume of risky conversations

Start by measuring the percentage of live conversations that contain:

• Any high risk identifier

• Any unnecessary sensitive personal data

• Any data subject right request such as erasure or access

In our sample, this percentage ranged from 3 percent in a relatively mature team up to 10 percent in a team with more ad hoc practices. In most organisations, simply quantifying this number will change executive conversations about compliance.

Isara automatically tags conversations containing these elements, so leaders can see their percentage over time and compare teams or channels.

Layer 2: Repetition and escalation pattern

Next, look at repetition.

• How often does the same user or agent send high risk identifiers more than once in a thread

• How many messages in a conversation contain unnecessary personal or financial data

• How often do erasure or other rights requests sit in the same status for more than forty eight hours

When repetition is high, it suggests that compliance issues are built into policies, templates, or training. A one off mistake needs education. A repeated pattern needs a change to process or tooling.

Isara tracks these patterns across thousands of conversations and can highlight where training, scripts, and macros are reinforcing risky behaviour.

Layer 3: Organisational response and accountability

Finally, measure how your organisation responds.

• What percentage of identified risky conversations are reviewed by a human

• How quickly do erasure or access requests move from support to the data protection team

• How many conversations raise compliance concerns but never receive specific follow up

This layer is where leadership action lives. Data minimisation, integrity, and confidentiality are not just principles on a poster. They are visible in routing rules, review workflows, and how seriously leaders take the findings.

Isara connects these three layers into a single monitoring view. Leaders can see the volume of risky messages, the patterns behind them, and the effectiveness of their response in near real time.

FAQ: How Isara helps with compliance in support conversations

How does Isara help us reduce sensitive data in everyday conversations

Isara analyses live support conversations and tags messages that contain personal and financial details such as addresses, dates of birth, or account references. By surfacing these patterns at team and agent level, it helps leaders adjust scripts, macros, and policies so that only the minimum required data is ever requested or stored.

Can Isara detect repeated use of high risk identifiers across channels

Yes. Isara uses both proprietary models and large language models to detect high risk identifiers such as account identifiers or full dates of birth across chat, email, and ticket comments. Leaders can see where these show up most often, which agents or teams need support, and whether particular templates are causing repeated exposure.

How does Isara support our obligations under Article 17

Isara can flag phrases that indicate an erasure request or similar data subject right and surface them in a dedicated view. This makes it easier to route those conversations to the correct owner, track their progress, and evidence that they were handled on time. Over time, leaders can report on volumes and response times to these requests.

Can Isara help our data protection officer work with support and success teams

Isara acts as a shared monitoring layer across support and success, with a specific focus on live conversational risk. Data protection and security leaders can use Isara dashboards to identify where policies are not followed in practice and to verify that fixes reduce risk over time.

Is Isara a replacement for our existing compliance program

No. Isara is designed to complement existing compliance and security programs by providing deep, continuous visibility into the support and success conversations that often escape traditional controls. It helps leadership teams close the gap between stated policies and real world behaviour in front line channels.

Florian Baptiste
Next

Best tips to scale customer success in a growing SMB