Businesses, large and small, are in the midst of preparing for compliance with the European Union’s (EU) new data privacy laws: The General Data Protection Regulation (the GDPR) which goes into effect on May 25, 2018. The GDPR is very broad in scope and can apply to businesses both in and outside of the EU. Businesses that don’t comply with the GDPR could face heavy fines.
The following is an overview of GDPR and details about how CallTrackingMetrics can help you comply.
And, don’t miss our upcoming GDPR webinar, where we will cover GDPR resources and address your questions, live with our panel of experts.
So… What is GDPR?
GDPR is short for the General Data Protection Regulation that goes into effect on May 25, 2018. It was passed by the European lawmakers to create a consistent data privacy law across all the EU member states. Its purpose is to:
- support privacy as a fundamental human right;
- require companies that handle personal data to be accountable for managing that data appropriately; and
- give individuals rights over how their personal data is processed or otherwise used.
What is personal data?
GDPR defines personal data as “any information relating to an identified or identifiable natural person”.
In addition to the kinds of information you might think about – name, address, email address, financial information, contact information, identification numbers, etc., personal data can in some cases be information related to your digital life, like an IP address, geolocation, browsing history, cookies, or other digital identifiers.
It also could mean information about a person, including their physical, mental, social, economic or cultural identities.
In short, if information can be traced back to or related in some way to an identifiable person, it is highly likely to be personal data. You can find out more about the GDPR here.
What rights does the GDPR provide to individuals?
There are several rights an individual may exercise under the GDPR, including:
- Right of access: Individuals can ask for a copy of the personal data retained about them and an explanation of how it is being used.
- Right to rectification: Individuals have the right to correct, revise or remove any of the personal data retained about them at any time.
- Right to be forgotten: Individuals can ask to delete their personal data.
- Right to restrict processing: If an individual believes, for example, that their personal data is inaccurate or collected unlawfully, the individual may request limited use of their personal data.
- Right of portability: Individuals have the right to receive their personal data in a structured, commonly used and machine-readable format.
- Right to object: Where an individual decides that they no longer wish to allow their personal data to be included in analytics or to receive direct marketing emails or other personalized (targeted) marketing content at any time, the individual may opt out of use of their data for these purposes.
Please note that these rights are not absolute, and limitations/exceptions may apply in some cases.
Roles and responsibilities of the GDPR
Generally speaking, there are two types of parties that have a responsibility regarding the handling of data: the “controller” and the “processor.” It is important to determine whether you are acting as a controller or a processor and understand your responsibilities accordingly.
- A “controller” determines the purposes and means of the use of personal data.
- A “processor” on the other hand, only acts on the instructions of the “controller” and processes personal data on their behalf.
- A “sub-processor” is where a processor engages another processor. Under the GDPR, the controller must know about sub-processors that a processor is using and have a way to give its authorization when its processor intends to entrust all or part of the tasks assigned to it to a sub-processor.
So, for example:
- CallTrackingMetrics is a controller in relation to your personal data that you provide to us as our customer. For example, your contact information when you create your account, your billing records etc.
- You are the controller in relation to the data you collect from your customers and use on our application. In that scenario, CallTrackingMetrics is your processor. For example, when facilitating phone calls and text messages and providing you analytics on those exchanges, we are acting as a processor on your behalf. As a controller, it is your responsibility to ensure that you have the necessary notices and/or consents in place in order to gather personal data using our application.
- CallTrackingMetrics uses sub-processors like Twilio and Amazon AWS to handle certain processing activities. This diagram will help explain:
What is CallTrackingMetrics doing to comply with the GDPR?
Privacy Policies: Our new privacy policies, which go live on May 1st, explain what information we collect and how we handle your personal data in this context where the GDPR applies. It breaks down into two policies, one covering the case where we are collecting information as a “Controller”, the other covering the case of where we are collecting information as a “Processor” (i.e. processing information for our Customers).
Both statements includes descriptions of how your personal data may be used by CallTrackingMetrics and who to contact if you have questions or concerns. Where required, we will also support you, as a CallTrackingMetrics customer and controller, in fulfilling GDPR related data subject requests you receive from your customers.
Terms of Service: Our new Terms of Service, which also go live on May 1st, include some important updates for GDPR:
- Customer Personal Data defined
- New Data Protection section added which includes information about:
- International Transfers clarified with Standard Contractual Clauses
- Obligations of CallTrackingMetrics
- CallTrackingMetrics’ sub-processor obligations
- Obligations of Customers
Sub Processors: As part of GDPR, CallTrackingMetrics needs to provide transparency about the sub-processors it uses to assist it in providing the CallTrackingMetrics Services. A sub-processor is a third party data processor engaged by CallTrackingMetrics who has or potentially will have access to or process Customer Data (which may contain Personal Data).
CallTrackingMetrics uses a commercially reasonable selection process by which it evaluates the security, privacy and confidentiality practices of proposed sub-processors that will or may have access to or process Customer Personal Data.
Our new Terms of Service provide detail about how we will post notices about any changes to the sub-processors. You can find the latest list of sub-processors here.
Transfers: Our new Terms of Service include information about data transfers. Our processing facilities are located in the United States of America. To ensure compliance under GDPR, our Customers (as “data exporter”) and CallTrackingMetrics (as “data importer”), enter into the Standard Contractual Clauses with respect to the transfer from Customer to CallTrackingMetrics (or onward transfer). You can read more about this in section 21 of the Terms of Service.
What do you need to do differently to comply with GDPR?
If the GDPR applies to you, there are various obligations you will need to comply with in order to collect analytics on your phone calls and other interactions. Luckily, not all of these obligations are new, so you should be complying with some of them already.
The most important differences in this context are as follows:
- More information about your use of personal data must be communicated to your customers. You should make sure that your privacy notices/policies are updated to reflect the new requirements of the GDPR, including setting out the purposes of your processing personal data, how long you are retaining such data, and what legal basis for use of personal data you are relying on.
- Any forms you use on your website include clear and specific language about all the possible ways you will be using your contacts’ personal data.
- You should determine the legal basis for your use of personal data: If you are relying on consent to use your contact’s data you should ensure that the consent you have meets the new requirements of the GDPR (more details on this below).
- You will also need to comply with the rights provided to individuals by the GDPR.
How Can CallTrackingMetrics help you comply with GDPR?
We have a number of tools and recommended configurations available in your account to help you comply.
- Make sure each person logging into your account is using their own unique login for security and tracking purposes. (managed in users)
- For added login security, enable two-factor authentication to ask for verification code every time or every 30 days. (managed in account settings)
- Require a user to login and use security PIN’s to listen to any call recording links. (managed in agency settings)
- Enable encryption for your audio recordings so they are encrypted in transit and at rest (managed in call settings)
- Consider turning off Caller ID if you do not need to collect the name or location of your callers (managed in call settings).
- Enable automatic redaction features
- Redaction removes personal information from records of calls, texts, and forms.
- Redaction can be configured to occur daily, every 30 days, every 60 days, or every 90 days. (managed in agency settings)
- If you don’t want to use automatic redaction, you can manually redact information from any of your interactions (managed in the call log or text log)
- If using CallTrackingMetrics FormReactor, be sure to include language in the form that explains to people what you are doing with their information and use a checkbox to gain their consent. (managed in your FormReactor)
- If using outbound text or call programs, be sure to keep your “do not contact” lists up to date. (managed in do not call list or do not text list)
- To access or edit a contact’s data, you can do that right in your call log or text log.
- To export data, you can use the export calls or export texts options.
- If you are recording calls, you need to gain consent to be recorded or demonstrate lawful basis for recording. You can use features like voice prompts and IVR menu’s to gather consent.
Some things to avoid:
- Avoid configuring triggers, notifications, or exports that provide unsecured access to personal information.
- CallTrackingMetrics recommends exporting any data from CallTrackingMetrics through the API or through the use of the secure SFTP export option.
- Be sure that “Enable Enhanced Caller ID” is turned off. That is an optional service that collects demographic information for callers (United States only) (United States only- managed in call settings)
- Do not assume that just announcing call recording is enough. You most likely need consent to be recorded.
Have more questions about GDPR?
NOTE: The information included on this page is meant to guide you through the process of understanding GDPR and is not a substitute for legal advice. Find more information on the GDPR website.