Presenters

What does GDPR really mean for my Contact Centre operations?

2

Agenda

GDPR Debunking the MythThe underlying legal changes that impact organisationsEnghouse Interactive’s approach to GDPR

Agenda

EU General Data Protection Regulation: It’s not too late to get on the compliance journey!

Robert.Bond@bristows.com

Robert Bond – Partner, Data Protection

• BA (Hons) Law, Wolverhampton University• Qualified as a Solicitor 1979• Qualified as a Notary Public 1989• Companion of the British Computer Society• Certified Compliance & Ethics Professional

Robert Bond has nearly 40 years' experience in advising national and international clients on all of their technology, data protection and information security law requirements. He is a recognised legal expert and author in the fields of IT, e-commerce, computer games, media and publishing, data protection, information security and cyber risks.

He is a member of the Board of the Society for Corporate Compliance & Ethics, a Trustee of the UK Safer Internet Centre, Chairman of Data Protection Network, a member of the UN Data Privacy Advisory Group to the United Nations and an Ambassador for Privacy by Design.

4

Established in 1837, Bristows has always been associated with top-tier, full-service legal work involving innovative clients. Today we remain an independent, international law firm bringing

together a diverse collection of talent to deliver high-quality legal advice and service.

5

GDPR – What you need to know and how to prepare

• Are you a controller or processor

• What personal data you hold

• How to communicate privacy information

• Individuals’ rights

• Legal basis for processing personal data

• Data breaches

• Data Protection Impact Assessments

• The role of the Data Protection Officer

• International data transfers 6

Remember to understand…

GDPR compliance is focused on a fixed point in time – it’s like the Y2K Millennium Bug

“I’m still picking up a lot of concern from organisations about preparing for the GDPR by May.

Much of that is understandable – there’s work required to get ready for the new legislation, and change often creates uncertainty.

However some of the fear is rooted in scaremongering because of misconceptions or in a bid to sell ‘off the shelf’ GDPR solutions.

I‘ve even heard comparisons between the GDPR and the preparations for the Y2K Millennium Bug.

I want to reassure those that have GDPR preparations in train that there’s no need for a Y2K level of fear”

Elizabeth Denham, Information Commissioner

7

Data Protection – Preparing for GDPR

8 Key principles of DP lawPersonal data must be…

Processed fairly, lawfully and in a transparent manner (lawfulness, fairness and transparency)

Collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes (purpose limitation)

Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation)

Accurate and, where necessary, kept up to date (accuracy)

Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (storage limitation)

In accordance with data subjects’ rights (rights of the data subject)

Processed in a way that ensures appropriate security of the personal data (integrity and confidentiality)

Not be transferred to a third country or to an international organisation if the provisions of the Regulation are not complied with (transfers)

8

Data Protection Principles

Data Protection – Preparing for GDPR

• More flexibility to rely on ‘legitimate interests’ as a lawful ground to process personal data where there is a relevant and appropriate connection between the data controller and data subject

• Consent – remains very high standard

• Must be distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language

• It must be as easy to withdraw consent as it is to give it

9

Lawfulness of processing, legitimate interests and consent

Data Protection – Preparing for GDPR

• Concise, transparent, intelligible and easily accessible form• Clear plain language• Iconography

10

Information to be provided to individuals

How to make legitimate interests “legitimate”

Recitals 47 to 50 in the GDPR give some examples of when a Controller may be able to rely on Legitimate Interests:

1) DIRECT MARKETING - processing for direct marketing purposes under Legitimate Interests is specifically mentioned in the last sentence of Recital 47.2) REASONABLE EXPECTATIONS - where individuals have a reasonable expectation that the Controller will process their Personal Data, subject to the balancing test. 3) RELEVANT & APPROPRIATE RELATIONSHIP - where there is a relevant and appropriate relationship between the individual and the Controller in situations where the individual is a client or in the service of the organisation. Examples of this would include (i) if an individual had recently (within the last 2 years) purchased goods or services from the Controller or donated to an organisation (ii) where the individual was a member of staff of the Controller.4) STRICTLY NECESSARY FOR FRAUD PREVENTION - where the processing is strictly necessary for the purpose of preventing fraud. This could include verifying the registered address of the cardholder for a particular credit or debit card is the same as the cardholder’s normal place of residence or work.5) ORGANISATIONAL - where Controllers that are part of an organisational group or institutions affiliated to a central body transmit Personal Data within that organisational group or to the central body. However, the rules on transferring Personal Data to a country outside Europe must be complied with if this is relevant. 6) NETWORK & INFORMATION SECURITY - where the processing of Personal Data is strictly necessary and proportionate for the purposes of ensuring network and information security. An example of this would include monitoring authorised users’ access to aController’s computer network for the purpose of preventing cyber-attacks.

11

Guidance on the use of Legitimate Interests under GDPR

How to make legitimate interests “legitimate”

• If a Controller wishes to rely on Legitimate Interests for processing Personal Data it must carry out an appropriate assessment, which we have called a Legitimate Interests Assessment, or LIA.

• When carrying out an assessment, the Controller must balance its right to process the Personal Data against the individuals’ data protection rights.

• In certain circumstances an LIA may be straight forward. However, under the accountability provisions of the GDPR, the Controller must maintain a written record that it has carried out an LIA and the reasons why it came to the conclusion that the balancing test was met.

• Legitimate Interests may be considered where:

another legal basis is not available due to the nature and/or scope of the proposed processing; or where there are a number of legal bases that could be used but Legitimate Interests is the most

appropriate.

12

Guidance on the use of Legitimate Interests under GDPR

Data Protection – Preparing for GDPR

13

Data subjects rights

Data Subject Rights

Information(Art 14)

Access(Art 15)

Rectification(Art 16)

Erasure(right to be forgotten)(Art 17)Restriction

of processing (Art 17a)

Data portability(Art 18)

Object(Art 19)

Automated decision making / profiling (Art 20)

GDPR and processors - overview • Controller must ensure processor will comply with GDPR• Must be an appropriate contract between controller and

processor• Processor must have adequate information security• Processor must not use sub-processors without consent

of the controller• Processor must co-operate with the relevant DPA• Processor must report data breaches to controller

without delay• Processor may need to appoint a DPO• Processor must keep records of processing activities• Processor must comply with EU trans border transfer

rules• Processor must help controller comply with data subject

rights• Processors are directly liable for non-compliance

Contractual needs with Processors

Documented instructions Confidentiality Information security Control of sub-processors Measures to help controller comply with data subject rights Co-operation with controller and DPA Destruction or return of data at end of contract Provide controller with evidence of GDPR compliance

Data Protection – Preparing for GDPR

• Safe Harbor

• EU-US Privacy Shield

• European Commission approved Model Contract Clauses•• Binding Corporate Rules

• Consent (although precarious to rely on)

• Codes of Conduct (Article 38)

• Certifications / Seals (Article 39)

16

Data Transfers

Data Protection – Preparing for GDPR

• Mandatory breach notification obligations• To ICO within 72 hours• To data subjects ‘without undue delay’• Notification to ICO must describe nature of the breach including where

possible the categories and approximate number of data subjects concerned and the categories and approximate number of data records concerned + contact details of DPO

• Must be communicated to data subjects in clear and plain language

17

Data breaches

EU DATA PROTECTION OFFICER – WHEN

Obligation to appoint a DPO

Controllers and processors

• Who are public authorities or bodies

• Who carry out activities involving regular and systematic monitoring of individuals

• Who process special categories of personal data

Group of undertakings may appoint a single DPO

18

Data Protection – Preparing for GDPR

• Strong emphasis on documenting compliance with the Regulation via policies and procedures

• Mandatory to maintain internal records of processing activities for most organisations

• The record must contain…

19

Policies, procedures and internal record keeping

Data Protection – Preparing for GDPR

Name and contact details of the controller / processor / representative

Purposes of the processing

A description of categories of data subjects and of the categories of personal data

The categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries

Details about international data transfers and the appropriate safeguards that are in place

A general description of the technical and organisational security measures referred to in Article 30(1) (Security of Processing)

20

Policies, procedures and internal record keeping

Data Protection – Preparing for GDPR

Sanctions for non-compliance – two levels of fines…Up to the greater of 2% annual worldwide turnover of preceding financial year or EUR 10 million – for matters re internal record keeping, data processor contracts, data protection officers, data protection by design and default

Up to the greater of 4% annual worldwide turnover of preceding financial year or EUR 20 million – for matters re breaching data protection principles, conditions for consent, data subjects’ rights and international data transfers

21

Sanctions for non-compliance are more than just for data breaches

That dam breach or that damn breach?

What now? – Top Tips

23

Take a deep breath and ask……….

Do we comply with current law?

Where and how do we

process personal

data?

What personal data

do we process and

why?

Thank you

24

Bristows LLP100 Victoria EmbankmentLondon EC4Y 0DHT +44(0)20 7400 8000

This document is for information purposes only and any statements or comments it contains relating to matters of law are not intended to be acted on, or relied upon, without specific legal advice on the matters concerned. To the fullest extent permitted by law, we disclaim all liability and responsibility for any reliance on the statements or comments contained in this document.

Bristows LLP is a limited liability partnership registered in England under registration number OC358808 and is authorised and regulated by the Solicitors Regulation Authority (SRA Number 44205).

PresenterEnghouse Interactive’sapproach to GDPR

26

Enghouse takes protection of personal data seriously and is actively working on alignment to and compliance with the upcoming GDPR legislation. We are engaging with all Enghouse business stakeholders, to respectively ensure that:

– There is understanding of the obligations regarding interactions with personal data– Departments and the employees within them know their roles and responsibilities– We understand our customer’s needs relative to our products– All departments of the business are aligned to one overall structure– We can demonstrate accountability and transparency– There is consistency in our global approach to GDPR compliance

Enghouse Statement

27

Discover Consent Processing

“The key stages of contact centre compliance”

28

Discovery

Identify:What personal data you processWhy you process itHow you process itHow long retained, and why?Where it’s storedInternal or outsourced contact centre ?

29

How do you capture consent?VoiceIVRE-mailWebVideo

How is this audited ?

Consent

30

How do you enforce/respect/observe data subject rights?

Consult your data mapsThink about data flowsProcess and policyIndustry guidelines on best practice for treatment of data

Processing

31

Thank you

Remember!Technology isn’t the answer – process is