CallTrackingMetrics Tools for GDPR Compliance
GDPR is short for the General Data Protection Regulation that goes into effect on May 25, 2018. It was passed by the European lawmakers to create a consistent data privacy law across all the EU member states. Its purpose is to:
- support privacy as a fundamental human right;
- require companies that handle personal data to be accountable for managing that data appropriately; and
- give individuals rights over how their personal data is processed or otherwise used.
Recommended Tools and Settings
CallTrackingMetrics offers a number of tools and recommended configurations to help you comply with GDPR requirements.
- Make sure each person you have logging into your CallTrackingMetrics account are using their own unique login for security and tracking purposes.
- For added login security, enable two-factor authentication to ask for verification code on every login or every 30 days.
- Require a user to login to listen to any call recording links.
- Enable encryption for your audio recordings so they are encrypted in transit and at rest.
- Consider turning off Caller ID if you do not need to collect the name or location of your callers.
- If you expect sensitive information such as Social Security numbers or personal phone numbers to be exchanged, you should enable Secure Call Transcriptions which will automatically detect the presence of that information in your interactions and will redact them from your recordings and transcriptions.
- Enable automatic redaction features on your account
- Redaction removes personal information from records of calls, texts, live chats and forms in your account.
- Redaction can be configured to occur daily, every 30 days, every 60 days, or every 90 days.
- If you don’t want to use automatic redaction, you can manually redact information from any of your interactions.
- If you are using FormReactor, be sure to include language in the form that explains to people what will happen once they fill out the form, what you are doing with their information and use a checkbox to gain their consent to those next steps.
- If using outbound text or call programs, be sure to keep your do not contact lists (for calls and texts) up to date based on the consent you have received and/or opt out requests that have come in.
- You can edit a contact’s data as needed in your call log or text log.
- To export data, you can use the export calls or export texts options.
- If you are recording calls, you need to gain consent to be recorded or demonstrate lawful basis for recording. You can use features like voice prompts and IVR menu’s to gather consent.
Some things to avoid:
- Avoid configuring triggers, notifications, or exports that move call data out of CallTrackingMetrics into emails or text messages, as these modes of communication are not generally secure and CTM cannot control the security of those systems. If choosing to use any of these features to send personal data outside of CTM application, it is your responsibility to ensure security of the information once it leaves CTM.
- CallTrackingMetrics recommends exporting any data through the API or through the use of the secure SFTP export option.
- Be sure that “Enable Enhanced Caller ID” is in the off position. That is an optional service that collects demographic information for callers.
- Do not assume that just announcing call recording is enough. You most likely need consent to be recorded.