The compliance deadline for General Data Protection (GDPR) has come and gone, leaving all non-compliant organizations at a crossroads: get compliant or risk getting fined — with potentially devastating consequences to your business. According to Gartner, an estimated 50% of companies will spend 2018 veering dangerously close to the latter. Does this mean all hope is lost for non-compliant businesses? Not quite. It just means you need to put your technology stack under the microscope and chart a path to compliance. And communications technologies like conferencing, cloud phone and unified communications (UC) systems risk being the most neglected in the face of GDPR regulation.
What GDPR Legislation Means to You
GDPR is an update to data privacy laws in the European Union (EU). In short, the new legislation gives customers ownership of their data and ensures businesses remain open and transparent about the customer data they collect. GDPR applies to all data generated by EU citizens as well as anyone having data stored in the EU.
Below is a quick refresher from TechTarget to help you understand how GDPR might affect your business.
Under GDPR, you may not legally process a customer’s personally identifiable information without meeting at least one of the following conditions:
- Express consent of the data subject.
- Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract.
- Processing is necessary for compliance with a legal obligation.
- Processing is necessary to protect the vital interests of a data subject or another person.
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.
So What Does GDPR Mean for Communication Tech?
If GDPR compliance is still on your to-do list now that the May 25 deadline has passed, performing an impact assessment of your communications technology (and every other potential repository of customer information) should be your number-one priority.
Irwin Lazar, the Vice President and Service Director at Nemertes Research and a contributor to TechTarget, recommends following these steps to ensure your collaboration and communication applications are GDPR compliant:
Know what information you’re capturing from customers, where it lives and how accurate it is.
Does your GoToMeeting account capture contact information from your customers? Does your CRM feed customer data to collaboration suites like Microsoft Office 365? Make sure you’re aware of what customer data you’re capturing and where it’s stored across your communication stack. Don’t forget to consider seemingly innocuous things like phone systems and voicemails.
Talk to your suppliers.
If you haven’t already had a conversation with your technology suppliers about GDPR compliance, you’ll want to get them on the phone in short order. The right partner will not only have measures in place to comply with GDPR, they’ll also be transparent about their processes and eager to give you peace of mind.
Assess your risk for noncompliance or data breaches — and test a response plan.
A thorough impact assessment should give you a great idea of how at risk your systems are to a data breach. It’s important to know your risk level so you can address your vulnerabilities proactively and ensure you have resources in place to manage a breach or noncompliance incident. With the necessary resources in place, you should then create, test and refine a plan for responding to breaches.
Develop (or optimize) your reporting system.
GDPR legislation says you must report any data breach within 72 hours of discovery. To meet this requirement, thorough and accurate reporting of customer information is a must. This includes information that may have been passed over the phone during customer service calls or over a web or video conference.
Talk to your customers.
At the end of the day, the basis for GDPR is giving customers back ownership of their data. This requires transparency, honesty and proactivity on your part as a business leader. So if you haven’t already had a conversation with your customers about GDPR and how it may impact them, do so. It’s better to broach the tough subjects now than after a customer’s data has been breached.
Questions on How GDPR Might Impact Your Business?
Understandably, new legislation can raise questions and present uncertainties. While we at Select Communications cannot advise you from a legal standpoint, we can direct you to resources that can guide you through the GDPR process if you need the support. If you’re unsure of the impact GDPR has on your business, contact one of our advisors today.