Considerations for applications
The following list provides some high-level suggestions for achieving compliance with the GDPR when using a platform, such as Aculab Cloud, to process and transmit personal data. The best techniques for handling personal data for GDPR will ensure that data is anonymised, security and encryption are used wherever possible and that personal data is stored only as long as it is necessary.
Password authentication to access data such as recordings, voicemail messages or voice response systems will help ensure compliance with the regulations as data should be protected against unauthorised access.
You can’t send a short message over an encrypted channel; it remains plain text on transmission. Furthermore, an SMS will include originating and destination numbers, which could be used to identify an individual. So, you need to ensure that the content of text messages contains no sensitive information, such as medical or financial information. A message stating "Your appointment for tomorrow at 10:15 is confirmed" does not contain sensitive information, whereas a message stating "Hello John Smith, the statement for your credit card 4000100020009999 is ready to read" does reveal sensitive information. This could be improved by removing the name and restricting the credit card number to the last 4 numbers, for example "Hello, the statement for your credit card ending in 9999 is ready to read"
Voice recordings can be made by many types of application including IVR systems, healthcare applications and voicemail systems. Outbound applications such as appointment reminders will tailor messages for playback to an individual. Faxes are still important in some business sectors, healthcare being one example. In all these situations individuals associated with these files must not be identified through the way the files are stored. File names and folder names should be anonymised such that no identifiable personal information is made available. An extra recommended step which will help protect and secure personal data is to encrypt these files.
Individuals have a right to know how long their data is being stored. Files should only be stored for as long as they are necessary and processes should be in place to regularly delete files once they are no longer required.