Preparing to meet the EU GDPR rules with Aculab Cloud
Firstly, lets establish what the GDPR is, and why it’s important to Aculab and its customers in the EU region, and also for our non-EU customers who use Aculab Cloud for their customers who reside in the EU.
The general data protection regulation (GDPR) is a European law coming into effect on May 25th, 2018 and designed to ensure protection of the privacy rights of citizens in the EU region. It applies to any organisation doing business in the EU who processes the personally identifiable data of natural persons. It takes over from the current EU data protection directive (DPD), directive 95/46/EC, which has been in force since 1995.
The GDPR affects companies in different ways. At Aculab, we are affected in two ways, as both a data processor and as a data controller. The GDPR defines these two types of data handler, the data processor and the data controller, as follows:
Data processor The data processor is responsible for processing personal data on behalf of a data controller
Data controller The natural or legal person, public authority, agency or another body which, alone or jointly with others, determines the purposes and means of the processing of personal data
Aculab is both a data processor and controller. In our general marketing activities, whereby we handle individual details such as name, email address and phone numbers of customers and prospects who visit our website or whom we meet at events, then we are a controller of that data and as such must have measures in place to protect it. Our
With our recent website refresh, we have already built in the appropriate consent measures as you will see if you use any of the webforms on the site.
In running our Aculab Cloud service, Aculab is affected in a different way – we process your customers’ data and as such are acting as a data processor. The focus of this post is on what Aculab is doing in regard to our Aculab Cloud service to make sure we meet the GDPR and protect your data.
What we are working on to protect your data on Aculab Cloud
The rules relating to personal data that the GDPR covers are as follows:
The right to be informed Organisations must clearly state how they plan to use personal data
The right of access Access for an individual to the data that is being stored about themselves
The right to rectification Rectification of personal data if it is inaccurate or incomplete
The right to erasure Also known as the right to be forgotten. Processes to cover the removal of personal data from systems
The right to restrict processing Individuals have a right to ‘block’ or suppress processing of personal data. When processing is restricted, you are permitted to store the personal data, but not further process it
The right to data portability Allows individuals to obtain and reuse their personal data for their own purposes across different services
The right to object Enabling citizens to object to having their data processed
Rights in relation to automated decision making and profiling Rights of an individual to request information on and challenge decisions based on automated decision making with regard to their personal data
As a data processor, we are obliged to support our customers (acting as a data controller) and enable you to meet your obligations under the GDPR for personal data privacy.
We have conducted internal data audits and are working on our internal processes to ensure that we meet all the rules that the GDPR brings into effect about processing, protection and storage of personal data of EU citizens.
For Aculab Cloud, that personal data may include call or message records, and call recordings.
In terms of the process areas we are looking at, compliance can be broken down into these areas:
Access control Making sure we restrict who has access to your data
Data retention and deletion How long CDRs are stored, and when they can be deleted
Data security How to protect the data using encryption techniques
Auditing processes If we are asked what we are storing and why, we need to have an audit trail for that data
In some areas, we already have technology in place. For example, we already offer encryption of call recordings (free of charge). In other areas, we will be tightening up the processes we already have in place to make sure we fully meet the GDPR regulations.
We will keep you informed with further posts as these processes come into being.