After years of build-up, the EU General Data Protection Regulation (GDPR) is finally here. For some people, its arrival was heralded with a flurry of desperate emails pleading for opt-ins (“Make sure you don’t miss out on our updates!”). For many businesses, however, the start of the GDPR was marked by a huge amount of activity, even panic.
The panic no doubt stems from the fact that the penalties for non-compliance with GDPR are severe. Failure to report a data breach will result in a fine of up to €10 million or 2% of annual turnover, whichever is greater. And failure to maintain the confidentiality of personal data in the event of a breach could cost a business €20 million or 4% of annual turnover, whichever is higher.
But what does the GDPR mean for the channel? To help customers stay on the right side of the new regulations (and avoid those damaging fines), channel resellers must consider what they can offer to ensure compliance.
Recording calls – Securing sensitive data
Some of your customers will routinely record calls; it’s a cornerstone for many businesses who need these recordings for staff training, insurance or best practice purposes. However, because many of those call recordings will contain the personal customer information (that could be used to identify the individual, in GDPR parlance), they are subject to the new regulations. Which means that the organisation must have a lawful reason for recording that information, and that they must be able to protect and manage that data in a compliant way.
The challenge here is that some telephony systems are not necessarily all that secure – many do not even encrypt call recordings. There’s a similar issue with voicemail (something arguably every business in the country uses to some extent) – a customer could leave their details in a voice message that is protected only by a four-digit PIN. Such lax security measures are no longer sufficient under the new regulatory regime, and businesses must demonstrate a greater commitment to securing sensitive data.
There is also the fact that the GDPR grants individuals an enormous amount of control over their personal information and how it is used. They can demand, amongst other things, to update their data, have it provided to them in an easy-to-access format, or have it deleted altogether. A lot of businesses will not necessarily have the infrastructure to meet these demands. Many may not even be able to locate every call recording relating to a specific individual. Organisations must implement the right infrastructure that makes it possible or face the penalties for non-compliance.
What this means for the channel
The good news is that there is an opportunity for channel partners to provide their customers with the telephony systems that will help them achieve compliance. For partners, offering the technical framework to deliver crucial new capabilities will be a significant source of revenue in a post-GDPR world.
However, channel resellers must themselves become increasingly wary of non-compliance. The new regulations significantly increase the scope of responsibility in the event of a data breach. Any supplier that provides a data storage solution for customers, processes data on behalf of a customer, or holds data on customers that could be used to identify them, may themselves be subject to fines if a breach occurs.
Channel resellers must be aware of their own liability and take the steps to ensure their processes and solutions are compliant. Key among these is the requirement that organisations notify the relevant data protection authorities no more than 72 hours after a breach. As such, all solutions provided to customers must have robust, rapid detection and notification procedures in place in the event of an attack. Partnering with the right provider can help. It’s the best way to protect both your customers and yourselves from the potentially crippling penalties that result from GDPR non-compliance.