Are you ready for GDPR?
At Network Telecom, we've pulled together the below GDPR FAQs to help your business prepare for the changes. Whether you want to ensure that you're taking the right measures when it comes to call recording or you want to learn more about what the team here at Network Telecom are doing to help your business, we hope this guide will be useful.
GDPR: WHAT IS IT?
Europe's data protection rules are due to undergo their largest overhaul in 20 years. When current regulations were drawn up in the late 1990s, the internet & rules around IT security were still in their infancy.
The General Data Protection Regulation (GDPR) is a new, EU-wide law that gives greater power to regulators to penalise companies who mishandle data or are not transparent about use recording, storage and use of that data.
GDPR is proposed by the Council of the European Union & European Commission intended to strengthen and unify data protection for individuals & businesses. It is the culmination of four years of efforts to update data protection for the 21st century & replaces the previous 1995 data protection directive; which current UK law is based upon.
GDPR is particularly concerned with data that contains personable identifiable information (PII) and the implications of such data being breached.
A ‘data breach’ is a confirmed incident in which personal, sensitive, confidential or otherwise protected data has been accessed and/or disclosed in an unauthorised fashion.
WHEN DOES IT HAPPEN?
GDPR will apply to all UK businesses from 25 May 2018. Because GDPR is a regulation, not a directive, the UK does not need to draw up new legislation - instead, it will apply automatically.
Businesses that collect personal or sensitive information will need to comply with strict new rules around protecting data by this date.
WHAT IS PERSONAL IDENTIFIABLE (PII) INFORMATION?
Personal identifiable information data' is defined in section 2 of the Data Protection Act as sensitive or personal data consisting of information relating to the data subject. Personal data is a complex category of information, broadly meaning any piece of information that can be used to identify a person. This can be a name, address, email address, telephone number, national insurance number or bank account details.
DOES IT EFFECT ME?
Yes. It effects every UK business, regardless of the products/services you supply or the industry you operate in. If you record, capture, store or handle any personal identifiable information in regards to individuals, customers, suppliers or others, you are responsible for the security & protection of that data.
HOW CAN I ENSURE I AM GDPR COMPLIANT?
There is no GDPR badge or accreditation. GDPR is simply a set of ‘best practice’ guidelines that should be followed and adhered to in order to be compliant.
Most importantly, you must have consent from the data subject to record and store their data in the first place. Consent must be an active, affirmative action by the data subject, rather than the passive acceptance under some current models that allow for pre-ticked boxes or opt-outs.
In the event of a data breach or data vulnerability being reported, you must be able to prove you had lawful consent from that subject to record, process & store their data.
You must then prove you took all reasonable steps to protect their data whilst in your possession and avoid that data being breached.
HOW DO I PREPARE FOR IT? WHAT CHANGES DO I NEED TO MAKE?
As a business owner you should take reasonable steps to protect the data you hold. This includes ensuring the physical and IT security of that data.
You need to be aware of the regulation, determining which info is held, updating procedures and understanding what should happen in the event your data is breached. To minimise the risk of suffering a data breach in the first place you would be wise to review your current processes and undertake a data mapping exercise to fully understand:
- The different ways you or your employees are capturing data
- Where this data is being stored
- Who has permissions to access this data?
- What devices can the data be accessed on?
- Is the data taken or being captured outside the business?
- What levels of security do you have in place?
If you currently utilise call recording functionality on your business phone system, whether the system is supplied by Network Telecom or not, you may be required to make some adjustments to your call handling processes.
If calls are being recorded (incoming, outgoing or both) and stored, then you may need to make callers aware of this. However, you are only obliged to do this when and if, the caller is providing you with personal or sensitive data. If personal data is being discussed, then you must make the subject aware of this and gain their lawful consent.
It is each business’ responsibility to ensure they are making callers aware that calls are being recorded.
This can be achieved in any manner you wish. Normal methods including reading a small data protection statement at the start of each call or at the moment before personal information is about to be passed over.
In addition to this you may wish to raise further notice by setting up a pre-recorded notification on your phone system auto attendant.
HOW IS NETWORK TELECOM HELPING TO ENSURE MY BUSINESS IS COMPLIANT?
Depending on the phone system supplied to you by Network Telecom you may have been provided with an on-site server. This server may have multiple uses such as storing your call recordings, supporting the software that connects your phone system to your computer (CTI) and to allow remote dial-in access into your phone system for support purposes.
The physical security of this server is your responsibility but as the supplier of the server, Network Telecom will take reasonable steps to ensure the IT and network security of this device is sufficiently covered.
All call recordings currently benefit from 256-bit AES encryption.
As of May 1st 2018 Network Telecom will also be installing AVG Anti Virus Enterprise edition onto this server for each customer. This business grade security product will ensure reasonable steps have been taken to protect the security of this device and its contents on your network.
The supply of this Anti-Virus product will carry a small monthly subscription charge with the opportunity to ‘opt-out’ should you wish. However, customers must understand the consequences of doing so should a data breach be incurred and this may effect your ability to prove reasonable steps were taken to prevent such a breach.
If you would like to add a message to your attendant, then please contact the office or your Network Telecom account manager.
WHAT ELSE CAN I DO TO ENSURE I’M COVERED?
As a business there are many preventive actions you can take to ensure your business and data handling procedures are GDPR compliant. You may want to think about the various devices you have in use including the location of these devices and their movement if given to employees.
You should review your IT security and protection levels such as Anti-Virus, Anti-Spam & the firewall protection on your network.
If you currently have ‘on premise’ servers for data storage, operating systems, software, business emails or hosting, you may want to consider moving these into a cloud based environment so that the physical and IT security responsibilities move from you to the hosting provider.
If your employees work using mobile devices e.g. laptops, tablets & mobile phones you may wish to invest in mobile device management software which can you use to protect and secure these devices.
Again, all of these are examples represent preventative measures that you can use to show you have taken reasonable steps to be GDPR compliant.
If you would like to speak about any of these opportunities, please speak to Network Telecom.
WHAT ARE THE CONSEQUENCES
One of the biggest, and most talked about, elements of the GDPR is the power for regulators to fine businesses that don't comply with it. In the UK GDPR is being enforced by the the Information Commissioner's Office (ICO).
If an organisation doesn't handle an individual's data in the correct way, it can be fined. If it requires and doesn't have a data protection officer, it can be fined. If there's a security breach, it can be fined.
These monetary penalties will be decided upon by the ICO and GDPR states smaller offences could result in fines of up to €10 million or two per cent of a firm's global turnover (whichever is greater). Those with more serious consequences can have fines of up to €20 million or four per cent of a firm's global turnover (whichever is greater).
It's your responsibility to inform your data protection authority of any data breach that risks people's data protection within 72 hours of your organisation becoming aware of it. Those who fail to meet the 72-hour deadline could face additional fines.
For any further information about GDPR and how your business can prepare, please email firstname.lastname@example.org or call 01952 221 327.