Fotolia
GDPR rules have big effect on UC applications
The European Union General Data Protection Regulation sets tighter controls on businesses and how they handle customers' personally identifiable information.
The European Union General Data Protection Regulation -- more commonly known as GDPR -- goes into effect May 25, 2018. GDPR rules include various components to regulate the handling of personally identifiable information for people living within European Union member countries. Fines for failing to follow GDPR rules can be steep: up to 4% of global revenue or 20 million euros -- whichever is greater.
GDPR empowers individuals by giving them access to their data. Under GDPR rules, individuals can move data from one repository to another and have their data removed from repositories completely.
GDPR also puts limits on data gathering and mandates that companies handling personal data provide breach notifications. In addition, organizations that process data from at least 5,000 individuals a year are required to appoint a data protection officer to ensure GDPR enforcement.
For organizations, the primary benefit of GDPR is harmonizing data privacy rules across the European Union. No longer will companies have to navigate a mix of varying regulations.
On the downside, GDPR rules will require companies operating in the European Union to ensure they are in compliance even if information gathered from EU citizens is stored or processed outside the EU.
Collaboration apps gather reams of data
The first step in any GDPR compliance approach is appointing a data protection officer. This position is required if you have data on more than 5,000 EU citizens, but it's potentially not a bad idea even if you're under that number.
Specific to unified communications and collaboration (UCC) applications, you'll want to conduct an impact assessment that addresses the following:
- Ensure you're aware of what information you are capturing from individuals. For instance, does your UCC platform capture customer data, perhaps in messaging applications or call data records?
- Know where data is stored. Is it on your servers, for example? Or, is it on a cloud provider's servers?
- Identify applications that store personally identifiable information. In the unified communications (UC) space, this could include conferencing applications that capture participant information, voicemails, email, chat sessions, call data records, location information, or customer data records held in contact center platforms or customer relationship management (CRM) systems.
- Understand how your suppliers ensure compliance. You might use cloud-based providers for applications such as CRM, customer engagement or customer collaboration. At a minimum, you'll want to ensure these providers are in compliance and can demonstrate their compliance capabilities to you. Some companies have already started sharing their GDPR compliance efforts.
- Assess the risk of noncompliance or data breaches. Even the best security architectures are subject to unknown threats, as we saw with the emergence of Spectre and Meltdown. Work with your legal and risk management teams to understand your potential exposure and determine if you need to purchase breach insurance.
- Log customer interactions accurately. Make sure you know what data you are capturing, where it is stored and processed, and how customers can opt out of data retention.
- Develop a reporting mechanism. Under the GDPR rules, you'll need to report any breach within 72 hours of discovery.
- Test and plan for potential breaches. Again, a key to a successful GDPR implementation strategy is taking the necessary steps before they occur, which means regular auditing, testing and planning for responses in the event of a data breach.
- Communicate with your customers. Let your customers know the steps you've taken to ensure you are GDPR-compliant.
As with any compliance effort, UC leaders should work hand in hand with their legal and risk management functions to ensure they understand what is required. UC leaders need to implement certain controls to ensure they are meeting GDPR storage, reporting and customer access requirements.
