CallTrackingMetrics & the General Data Protection Regulation (GDPR)

GDPR

CallTrackingMetrics is Committed to Your Data Protection

GDPR stands for the European Union’s General Data Protection Regulation and replaces the Data Protection Directive. The purpose of GDPR is to ensure appropriate protection of personal data in a digital society. CallTrackingMetrics is implementing processes to help customers prepare for GDPR before its effective date of May 25, 2018.

Customers will receive notifications of new functionality and changes to our policies via email, and we’ll also be updating this page and sharing content over the coming months, so check back often.

While CallTrackingMetrics will be providing information related to GDPR, the most authoritative resources will always be those produced by data protection regulators or the European Union itself. The full text of the GDPR can be found here.

Our Commitment to GDPR Compliance

Protecting Data

Our data protection team is dedicated to ensuring that CallTrackingMetrics is ready through appropriate protection of personal data.

Revised Policies

As you prepare your business for GDPR, we're updating our policies and terms.

Being Proactive

As we develop new systems and product features, we're including a requirement to build in data privacy "by design."

Raising the Bar

We are building features that customers around the globe can leverage to manage their data so that all customers can benefit from GDPR.

GDPR Resources

Our updated Terms of Service contain additional provisions for data protection including information about sub-processors, transfers, and obligations of the parties.
Understand how GDPR may impact your business and what you need to do to be in compliance.
Learn more about our ongoing program of risk assessment, analysis and remediation.
Learn about how CTM is tackling GDPR compliance, and about our overall approach to data protection.

Data Security & Protection

Physical

A secure physical facility with round-the-clock surveillance, multi-factor authentication, redundancy zones, and secure logging are included with all CallTrackingMetrics accounts. Amazon Web Services (AWS), where the platform is hosted, complies with AICPA SysTrust, ISO 27001, and other leading physical security frameworks.

Network

CallTrackingMetrics employs best practices for network security by protecting customer data from application to the platform to thousands of carrier connections around the world. Preventative measures include network firewalls, denial-of-service (DoS) and distributed-DoS prevention, and network posture assessment.

Multi-Tenancy

CallTrackingMetrics offers multi-tenancy in tiers. Underlying cloud infrastructure, voice and messaging platform, and CTM-powered applications are isolated and secure when present on the same server instance. Each customer's activity and data is separate and protected using sub-accounts.

Security Audits

CTM regularly scans for security vulnerabilities and performs third-party penetration tests. All access to production clusters is restricted to CTM engineers, and is always logged and audited.

24/7 Incident Response

We strictly follow an incident policy for responding to and reporting of different vulnerability risks. A Security Incident Response Team monitors alerts from upstream vendors, on-call twenty-four hours a day, seven days a week.

Privacy Policies

Strict data privacy policies block access to sensitive data and ensure it is only used to deliver the services configured. All CTM employees are also trained on HIPAA and privacy policies and participate in regular security audits.

Disclaimer: This legal information is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we recommend that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. You may not rely on this information as legal advice, nor as a recommendation of any particular legal understanding.

Frequently Asked Questions

Does the GDPR apply to me?

While the current EU legislation (the 1995 EU Data Protection Directive) governs entities within the EU, the territorial scope of the GDPR is far wider in that it will also apply to non-EU businesses who a) market their products to people in the EU or who b) monitor the behavior of people in the EU (which might include tracking users on a website). In other words, even if you’re based outside of the EU but you control or process the data of EU citizens, it is likely that the GDPR will apply to you.

Are there any circumstances when GDPR does not apply?

GDPR has broad scope and reach. That said, it is not unlimited. So, if you do not have an establishment in the Union and you do not process personal data of EU individuals, GDPR will not apply to your activities. If you do not know whether you process EU personal data, then you should consider whether you are offering any goods and services (even free ones) to individuals in the EU or if you’re monitoring the behavior of individuals in the EU. If so, then you are subject to GDPR. Recital 23 of GDPR does indicate that GDPR is not intended to apply to entities that may inadvertently process EU personal data, but are not trying to provide their goods or services to people in the EU (for example, if your website is targeted at a North American market, but users from the EU nevertheless choose to access it).

What’s the definition of “personal data” under the GDPR?

Personal data means data that relates to an identified or identifiable natural person (aka “data subject”). An identifiable data subject is someone who can be identified, directly or indirectly, such as by reference to an identifier like a name, an ID number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Importantly, this is a very broad definition and can encompass data like IP addresses of a user’s personal device, their device ID, or their phone number. It does not matter that the identifier could change (e.g., that the user could change their phone number or device ID). What matters is that the information can be used to “pick that user out of the crowd” even if you don’t know who that user is.

It is also important to note that the definition of personal data is not tied to concerns about identity theft in the way that definitions of personally identifying information (PII) are under many US data breach laws. So, even if it seems like there would be little privacy harm if someone got ahold of your users’ IP addresses, that does not mean that those IP addresses are not personal data. It just means that this data may not require the same level of data protection as more sensitive personal data like your users’ credit card numbers. EU data protection law assumes that there is inherent value in personal data, and therefore damage is done to a data subject whenever personal data is processed unlawfully, regardless of whether there is any possibility of financial loss ensuing for the data subject.

Do I have to appoint a Data Protection Officer for the GDPR?

It depends. Article 37 of GDPR says that entities are required to designate a data protection officer if:

  1. The processing is carried out by a public authority or body (except courts acting in their judicial capacity);
  2. The core activity of the entity consists of personal data processing that amounts to or requires regular or systematic monitoring of EU individuals on a large scale;
  3. The core activity of the entity consists of large-scale processing of special categories of data (racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used to identify a person, or data concerning health, a person’s sex life or sexual orientation) and personal data relating to criminal convictions or offenses.

The Working Party 29 (a group of data protection regulators in the EU) has provided additional guidance to help you determine if you fit within one of these categories.

By way of practical guidance, an organisation processing special categories of data as part of its business model (e.g. an insurance, health or pharamceutical company) or an organisation intensively profiling or tracking its customers (e.g. a bank or social media company) is very likely to need a DPO.

My company is HIPAA compliant. Will this help with my compliance towards GDPR?

Compliance with standards such as HIPAA can be helpful for compliance with GDPR, particularly with regard to security of processing, but GDPR compliance is not interchangeable with HIPAA or other standards like ISO 27001 compliance. Therefore, you should not assume that if you’re HIPAA or ISO 27001 compliant that you are also GDPR compliant.

What are the penalties for non-compliance with GDPR?

Depending on the nature of the violation, data protection authorities may issue fines or penalties for non-compliance up to € 20 million or 4% of global revenue. Data subjects may also bring claims against an organisation which misuses their personal data, either on an individual basis or as part of an impacted group of data subjects.

What core principles do I need to be aware of?

The GDPR is built on a foundation of key data protection principles. These principles form the basis of GDPR compliance, and should be applied to any activity which uses personal data:

  1. Obtain and process the personal data lawfully, fairly and transparently.
  2. Use it only for the purpose(s) for which it was collected
  3. Keep it safe and secure
  4. Keep it accurate and up-to-date
  5. Ensure that it is adequate, relevant and not excessive
  6. Retain it no longer than is necessary for the specified purpose or purposes

In addition, organisations must be able to actively demonstrate accountability with the principles set out above, for example through of appropriate policies, guidelines and operational processes.

Will data now have to be stored in the EU?

No. There is no obligation under the GDPR for data to be stored in the EU and the rules regarding transfer of personal data outside the EU will not change. This means that, as long as the personal data is "adequately protected", data may be transferred abroad. For example, the EU has prepared a list of countries which they deem to provide an adequate standard of protection (known as "white listed countries"), so it is permissible to transfer data to those countries. Where a country is not on that EU list (for example, the USA), the controller must rely on use of approved contractual provisions (e.g. the Model Clauses or Corporate Binding Rules) or one of the other alternative measures, provided for in Law, such as the Privacy Shield certification.

Do I need to request a Data Processing Addendum from CTM?

No—we have built all the DPA obligations right into our new Terms of Service. In particular, Section 21 details:

  • the obligations of CallTrackingMetrics
  • sub-processor notifications
  • international transfers
  • and the obligations of the Customer

Annex 1 to the Terms of Service provides additional detail about the scope of processing.

X