First, let me post a disclaimer here: I am not a GDPR compliance specialist or advisor. I am a business leader and probably fall into the 84% who didn’t fully understand the “nuts and bolts” of the GDPR. So, I set out to do a bit of research and increase my level of understanding. I wanted to know how this affected our US based company and the contact center industry. Here are some basics that you need to know.
A recent study by Sage revealed 91% of US businesses surveyed had no awareness of GDPR. It also revealed that 84% of US businesses surveyed don’t understand the implications for their company. American businesses operating or serving customers in the EU need to understand the regulation. And, compliance requirements can be affected by something as simple as making your website available to people in the EU. You may need to employ a Data Protection Officer, especially if you have a presence in the EU. Companies under 250 employees may have lesser requirements for compliance. There is much to know. The letter of the law can be found on the ICO website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/documentation/
What does the GDPR provide? In a nutshell…
- The GDPR contains explicit provisions about documenting your processing activities.
- You must maintain records on several things such as processing purposes, data sharing and retention.
- You may be required to make the records available to the ICO (https://ico.org.uk) on request.
- Documentation can help you comply with other aspects of the GDPR and improve your data governance.
- Controllers and processors both have documentation obligations.
- For small and medium-sized organizations, documentation requirements are limited to certain types of processing activities.
- Information audits or data-mapping exercises can feed into the documentation of your processing activities.
- Records must be kept in writing.
- Records must be kept up to date and reflect your current processing activities.
How does this affect businesses in the US?
While the law is for businesses operating within EU member states, it may have an affect on your US business. A recent report on CNBC reveals info about a managed care company operating in Nevada that believed they were exempt from the regulation. However, one of its European customers mandated that it put a GDPR program in place because the company was acting on behalf of someone in Europe. Therefore, if a company based in the United States, or another non-EU country, collects or processes personal data of any employee, prospect, customer, partner, or supplier that is based in the EU, that company will need to be compliant with the GDPR. (Do not take my word for it. Seek a professional.)
AVDS, a long standing Genesys Gold Partner, is a contact center solutions and enterprise communications specialist. We must look at how this applies to our industry and the products and partners with whom we work. Paul Segre, CEO of Genesys, a leader in Contact Center and Omnichannel Customer Experience solutions recently updated their customers and partners on GDPR and FedRAMP compliance. http://blog.genesys.com/genesys-security-credentials-mounting-even-higher-with-gdpr-and-fedramp/ Genesys security and operational controls are based on industry standard practices and certified to meet PCI-DSS, ISO 27001, SOC 2 Type 2 and HIPAA compliance (to name just a few). This provides AVDS and our customers peace of mind knowing security is and has always been embedded in, and fundamental to, every Genesys cloud solution.
What is FedRAMP? It is a US government-wide program to standardize security assessment, authorization, and continuous monitoring for cloud products and services. Upon completion in 2019, Genesys will be able to bring this level of legally mandated government security to the private sector.
Do we really need all this? Yes. With the enormous volume of personal data collected today and the proliferation of data breeches, data protection and security are as critical now as ever. That may sound basic to some of us. Yet, that is exactly why the EU has enacted regulation to protect data and the people whom it represents. The collection, processing, and storage of data has long been a security challenge. That data is personal information and should have basic protection. Ensuring the integrity of individual data, not organizations, is the focus of the GDPR.
Useful links and references: