Considerations for applications

The following sections provide some high-level suggestions for achieving compliance with the GDPR when using a platform, such as Aculab Cloud, to process and transmit personal data. The best techniques for handling personal data for GDPR will ensure that data is anonymised, security and encryption are used wherever possible and that personal data is stored only as long as it is necessary.

Authentication

Password authentication to access data such as recordings, voicemail messages or voice response systems will help ensure compliance with the regulations as data should be protected against unauthorised access.

SMS

You can’t send a short message over an encrypted channel; it remains plain text on transmission. Furthermore, an SMS will includes originating and destination numbers, which could be used to identify an individual. So, you need to ensure that the content of text messages contains no sensitive information, such as medical or financial information. A message stating "Your appointment for tomorrow at 10:15 is confirmed" does not contain sensitive information, whereas a message stating "The statement for your credit card 4000100020009999 is ready to read" does reveal sensitive information.

Anonymisation

Voice recordings can be made by many types of application including IVR systems, healthcare applications and voicemail systems. Outbound applications such as appointment reminders will tailor messages for playback to an individual. Faxes are still important in some business sectors, healthcare being one example. In all these situations individuals associated with these files must not be identified through the way the files are stored. File names and folder names should be anonymised such that no identifiable personal information is made available. An extra recommended step which will help protect and secure these files is to encrypt these files.

Storage

Individuals have a right to know how long their data is being stored. Files should only be stored for as long as they are necessary and processes should be in place to regularly delete files once they are no longer required.