what does gdpr really mean for my contact centre...
TRANSCRIPT
Presenters
What does GDPR really mean for my Contact Centre operations?
2
Agenda
GDPR Debunking the MythThe underlying legal changes that impact organisationsEnghouse Interactive’s approach to GDPR
Agenda
EU General Data Protection Regulation: It’s not too late to get on the compliance journey!
Robert Bond – Partner, Data Protection
• BA (Hons) Law, Wolverhampton University• Qualified as a Solicitor 1979• Qualified as a Notary Public 1989• Companion of the British Computer Society• Certified Compliance & Ethics Professional
Robert Bond has nearly 40 years' experience in advising national and international clients on all of their technology, data protection and information security law requirements. He is a recognised legal expert and author in the fields of IT, e-commerce, computer games, media and publishing, data protection, information security and cyber risks.
He is a member of the Board of the Society for Corporate Compliance & Ethics, a Trustee of the UK Safer Internet Centre, Chairman of Data Protection Network, a member of the UN Data Privacy Advisory Group to the United Nations and an Ambassador for Privacy by Design.
4
Established in 1837, Bristows has always been associated with top-tier, full-service legal work involving innovative clients. Today we remain an independent, international law firm bringing
together a diverse collection of talent to deliver high-quality legal advice and service.
5
GDPR – What you need to know and how to prepare
• Are you a controller or processor
• What personal data you hold
• How to communicate privacy information
• Individuals’ rights
• Legal basis for processing personal data
• Data breaches
• Data Protection Impact Assessments
• The role of the Data Protection Officer
• International data transfers 6
Remember to understand…
GDPR compliance is focused on a fixed point in time – it’s like the Y2K Millennium Bug
“I’m still picking up a lot of concern from organisations about preparing for the GDPR by May.
Much of that is understandable – there’s work required to get ready for the new legislation, and change often creates uncertainty.
However some of the fear is rooted in scaremongering because of misconceptions or in a bid to sell ‘off the shelf’ GDPR solutions.
I‘ve even heard comparisons between the GDPR and the preparations for the Y2K Millennium Bug.
I want to reassure those that have GDPR preparations in train that there’s no need for a Y2K level of fear”
Elizabeth Denham, Information Commissioner
7
Data Protection – Preparing for GDPR
8 Key principles of DP lawPersonal data must be…
Processed fairly, lawfully and in a transparent manner (lawfulness, fairness and transparency)
Collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes (purpose limitation)
Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation)
Accurate and, where necessary, kept up to date (accuracy)
Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (storage limitation)
In accordance with data subjects’ rights (rights of the data subject)
Processed in a way that ensures appropriate security of the personal data (integrity and confidentiality)
Not be transferred to a third country or to an international organisation if the provisions of the Regulation are not complied with (transfers)
8
Data Protection Principles
Data Protection – Preparing for GDPR
• More flexibility to rely on ‘legitimate interests’ as a lawful ground to process personal data where there is a relevant and appropriate connection between the data controller and data subject
• Consent – remains very high standard
• Must be distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language
• It must be as easy to withdraw consent as it is to give it
9
Lawfulness of processing, legitimate interests and consent
Data Protection – Preparing for GDPR
• Concise, transparent, intelligible and easily accessible form• Clear plain language• Iconography
10
Information to be provided to individuals
How to make legitimate interests “legitimate”
Recitals 47 to 50 in the GDPR give some examples of when a Controller may be able to rely on Legitimate Interests:
1) DIRECT MARKETING - processing for direct marketing purposes under Legitimate Interests is specifically mentioned in the last sentence of Recital 47.2) REASONABLE EXPECTATIONS - where individuals have a reasonable expectation that the Controller will process their Personal Data, subject to the balancing test. 3) RELEVANT & APPROPRIATE RELATIONSHIP - where there is a relevant and appropriate relationship between the individual and the Controller in situations where the individual is a client or in the service of the organisation. Examples of this would include (i) if an individual had recently (within the last 2 years) purchased goods or services from the Controller or donated to an organisation (ii) where the individual was a member of staff of the Controller.4) STRICTLY NECESSARY FOR FRAUD PREVENTION - where the processing is strictly necessary for the purpose of preventing fraud. This could include verifying the registered address of the cardholder for a particular credit or debit card is the same as the cardholder’s normal place of residence or work.5) ORGANISATIONAL - where Controllers that are part of an organisational group or institutions affiliated to a central body transmit Personal Data within that organisational group or to the central body. However, the rules on transferring Personal Data to a country outside Europe must be complied with if this is relevant. 6) NETWORK & INFORMATION SECURITY - where the processing of Personal Data is strictly necessary and proportionate for the purposes of ensuring network and information security. An example of this would include monitoring authorised users’ access to aController’s computer network for the purpose of preventing cyber-attacks.
11
Guidance on the use of Legitimate Interests under GDPR
How to make legitimate interests “legitimate”
• If a Controller wishes to rely on Legitimate Interests for processing Personal Data it must carry out an appropriate assessment, which we have called a Legitimate Interests Assessment, or LIA.
• When carrying out an assessment, the Controller must balance its right to process the Personal Data against the individuals’ data protection rights.
• In certain circumstances an LIA may be straight forward. However, under the accountability provisions of the GDPR, the Controller must maintain a written record that it has carried out an LIA and the reasons why it came to the conclusion that the balancing test was met.
• Legitimate Interests may be considered where:
another legal basis is not available due to the nature and/or scope of the proposed processing; or where there are a number of legal bases that could be used but Legitimate Interests is the most
appropriate.
12
Guidance on the use of Legitimate Interests under GDPR
Data Protection – Preparing for GDPR
13
Data subjects rights
Data Subject Rights
Information(Art 14)
Access(Art 15)
Rectification(Art 16)
Erasure(right to be forgotten)(Art 17)Restriction
of processing (Art 17a)
Data portability(Art 18)
Object(Art 19)
Automated decision making / profiling (Art 20)
GDPR and processors - overview • Controller must ensure processor will comply with GDPR• Must be an appropriate contract between controller and
processor• Processor must have adequate information security• Processor must not use sub-processors without consent
of the controller• Processor must co-operate with the relevant DPA• Processor must report data breaches to controller
without delay• Processor may need to appoint a DPO• Processor must keep records of processing activities• Processor must comply with EU trans border transfer
rules• Processor must help controller comply with data subject
rights• Processors are directly liable for non-compliance
Contractual needs with Processors
Documented instructions Confidentiality Information security Control of sub-processors Measures to help controller comply with data subject rights Co-operation with controller and DPA Destruction or return of data at end of contract Provide controller with evidence of GDPR compliance
Data Protection – Preparing for GDPR
• Safe Harbor
• EU-US Privacy Shield
• European Commission approved Model Contract Clauses•• Binding Corporate Rules
• Consent (although precarious to rely on)
• Codes of Conduct (Article 38)
• Certifications / Seals (Article 39)
16
Data Transfers
Data Protection – Preparing for GDPR
• Mandatory breach notification obligations• To ICO within 72 hours• To data subjects ‘without undue delay’• Notification to ICO must describe nature of the breach including where
possible the categories and approximate number of data subjects concerned and the categories and approximate number of data records concerned + contact details of DPO
• Must be communicated to data subjects in clear and plain language
17
Data breaches
EU DATA PROTECTION OFFICER – WHEN
Obligation to appoint a DPO
Controllers and processors
• Who are public authorities or bodies
• Who carry out activities involving regular and systematic monitoring of individuals
• Who process special categories of personal data
Group of undertakings may appoint a single DPO
18
Data Protection – Preparing for GDPR
• Strong emphasis on documenting compliance with the Regulation via policies and procedures
• Mandatory to maintain internal records of processing activities for most organisations
• The record must contain…
19
Policies, procedures and internal record keeping
Data Protection – Preparing for GDPR
Name and contact details of the controller / processor / representative
Purposes of the processing
A description of categories of data subjects and of the categories of personal data
The categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries
Details about international data transfers and the appropriate safeguards that are in place
A general description of the technical and organisational security measures referred to in Article 30(1) (Security of Processing)
20
Policies, procedures and internal record keeping
Data Protection – Preparing for GDPR
Sanctions for non-compliance – two levels of fines…Up to the greater of 2% annual worldwide turnover of preceding financial year or EUR 10 million – for matters re internal record keeping, data processor contracts, data protection officers, data protection by design and default
Up to the greater of 4% annual worldwide turnover of preceding financial year or EUR 20 million – for matters re breaching data protection principles, conditions for consent, data subjects’ rights and international data transfers
21
Sanctions for non-compliance are more than just for data breaches
That dam breach or that damn breach?
What now? – Top Tips
23
Take a deep breath and ask……….
Do we comply with current law?
Where and how do we
process personal
data?
What personal data
do we process and
why?
Thank you
24
Bristows LLP100 Victoria EmbankmentLondon EC4Y 0DHT +44(0)20 7400 8000
This document is for information purposes only and any statements or comments it contains relating to matters of law are not intended to be acted on, or relied upon, without specific legal advice on the matters concerned. To the fullest extent permitted by law, we disclaim all liability and responsibility for any reliance on the statements or comments contained in this document.
Bristows LLP is a limited liability partnership registered in England under registration number OC358808 and is authorised and regulated by the Solicitors Regulation Authority (SRA Number 44205).
PresenterEnghouse Interactive’sapproach to GDPR
26
Enghouse takes protection of personal data seriously and is actively working on alignment to and compliance with the upcoming GDPR legislation. We are engaging with all Enghouse business stakeholders, to respectively ensure that:
– There is understanding of the obligations regarding interactions with personal data– Departments and the employees within them know their roles and responsibilities– We understand our customer’s needs relative to our products– All departments of the business are aligned to one overall structure– We can demonstrate accountability and transparency– There is consistency in our global approach to GDPR compliance
Enghouse Statement
27
Discover Consent Processing
“The key stages of contact centre compliance”
28
Discovery
Identify:What personal data you processWhy you process itHow you process itHow long retained, and why?Where it’s storedInternal or outsourced contact centre ?
29
How do you capture consent?VoiceIVRE-mailWebVideo
How is this audited ?
Consent
30
How do you enforce/respect/observe data subject rights?
Consult your data mapsThink about data flowsProcess and policyIndustry guidelines on best practice for treatment of data
Processing
31
Thank you
Remember!Technology isn’t the answer – process is