What happens in case of non-compliance? The fines for non-compliance with the GDPR can be a very costly mistake for a giant multinational enterprise and can surely kill many small to medium businesses. The fines can amount to €20 million or 4% of the firm's worldwide turnover. Non-compliance with the GDPR also creates another risk, which is more difficult to estimate, but equally severe for a business - bad reputation.
Reputational damage will be a core consequence of any GDPR-related fine or penalty, similar to the aftermath of privacy or cyber-related security incidents, which are usually covered by media and inevitably lead to the loss of customers and trust.
Disclaimer Personal data protection laws such as the GDPR are complex. It is impossible to cover all the important details in one short guide. It is not intended as legal advice, but merely as a reference point for your data protection compliance efforts.
Intended use and your role All our Services, including the functions of registration, statistics and recording of conversations, determining the location of a call/employee, are intended solely for business purposes. They are not intended for personal use.
Under various laws, such as the General Data Protection Regulation (GDPR) you are most likely to be classified as a controller for the personal data of your employees using the app as well as customers, who are contacting them.
Being a controller means you have a responsibility to safeguard personal data.
Consider user rights
The GDPR as a specific example of privacy regulation is largely concerned with granting people certain rights. One of the most crucial aspects of GDPR compliance is enabling the exercise of data subject rights. Below you can find a list of the rights with explanations and tips on how to implement it.
Right to be informed The right to be informed is a user's right to know how you process their personal data by implementing a privacy policy. It aims at building trust between the consumers and your service. It needs to be written in a clear, concise way, using transparent language. You need to explain why and how you process their data. Most importantly, the person from whom you are collecting data must be informed about it at the time of collecting the data.
Right of access
The right of access creates a right under which a person can find out if his personal data is being processed and if so, request a copy of all the data you hold about him or her.
After the request, you must first check whether the organization processes one's personal data and give an answer. If the answer is yes, you must provide the requester with the data and following information which will be usually included in your privacy policy:
- processing purposes;
- categories of data processed;
- recipients of personal data;
- the planned duration of storage;
- information about the rights of the requester;
- information on the possibility of lodging a complaint with a supervisory authority;
- origin of data (if it comes from a third party);
- information about profiling (if applicable);
- safeguards are taken in case of data transfer to a third country.
Finally, you should provide the data subject with a copy of all his or her data you have in a structured format (e.g., CSV).
Right to portability According to this right, the data subject (user):
- Can receive the personal data relating to them in a clear, commonly used format; and
- Request you to transfer the data to another party (from one data controller to another).
While the first part is quite similar to the right of access, the second may seem troublesome. It is unlikely that someone will try to exercise this right to transfer the data to another controller, but we still recommend at least storing data in a way that would allow transferring in a structured, commonly used and machine-readable format.
- Structured – A structured data allows for an easy transfer and ease of use, it is a data where the structural relation between elements is explicit in the way the data is stored on a computer disk. The software must be able to extract specific elements of the data. An example of a structured format is a spreadsheet – the data is organized (structured) into rows and columns;
- Commonly used – Simply put, the format you choose must be widely-used and well-established. However, it must be structured and machine-readable as well;
- Machine-readable – data in a format that can be automatically read and processed by a computer. It is a format from which software applications can identify, recognize and extract specific data.
The most commonly used formats that fulfill the above-mentioned requirements are CSV, XML, and JSON.
Similarly to the right of access, you should provide the requester with a copy of his/her data within one month, which can be extended to two months.
Right to withdraw consent This right is relevant for you when you collect consent, which is typically required when you send marketing emails to users or use third-party cookies (such as analytics or retargeting). The GDPR sets clear requirements for obtaining consent – it must be clear, specific, freely given, unambiguous, etc. The Regulation also provides that an individual can withdraw his/her consent at any time, without the need to explain their decision.
Right to rectification When personal data that you hold is outdated or incorrect, the data subject has the right to update it. The main goal here is to ensure the accuracy of the person's data in your system.
The easiest and most straightforward solution for implementing this right is to enable users to change their data real-time on the website. Users should also be able to exercise this right through post/phone/email. It's a good idea to include this possibility in the Privacy Policy
In case of an individual exercising this right through post/phone/email, you must fulfill the request within one month, or two months if you have a legitimate justification for the delay.
Right to restrict processing The Right to restrict processing creates a right under which an individual can limit the way you use their data. This can be compared to freezing or blocking the data. However, data subjects need a valid reason to exercise this right. Such a reason may be, for example, information held is inaccurate, information is being/was illegally processed, data subject might have issues with how you process the data, etc.
You need to ensure that you have processes in place that enable you to restrict personal data. Those may be: temporarily moving the data to another system, temporarily removing the data from the website/database, etc.. Next, it needs to be assured that any further processing of the data will not take place. That is because the data cannot be changed while the restriction is in place. It is also important to prevent accidental processing of restricted data – the restricted data should be appropriately marked in the system.
Like with most of the other rights, you must comply with the request within 1 month from the receipt.
Right to erasure Also known as the "right to be forgotten". The user can request you, the controller, to erase their data if it is no longer needed for the purpose it was originally collected. In the past, the EU has paid a lot of attention to this right and will not tolerate companies that do not satisfy valid requests for the erasure of their data.
When it comes to enabling the exercise of this right, you need to ensure that you are able to delete one's information from all your systems. You should comply with the request within one month, or within two months in limited cases.
How you should get prepared: Limit access to the data Make sure personal data is only accessed when it is necessary. Employ technical and measures to limit access for employees and contractors unless it is necessary for their functions.
Usually, you can do it by selecting an appropriate setting in your CRM of choice and via your network and account setting in your system.
Review your service providers WIRE can integrate with your chosen CRM service provider. Under various data protection laws, WIRE and such provider would most likely be considered processors. This means that you, as controller, have a duty to make sure that they are processing the data only based on your instructions and that the data is properly secured.
Here are some of the actions that you might take:
- sign a Data Processing agreement
- send out a data protection questionnaire
- review their certifications and compliance standards, etc.
- review security measures provided by the service provider.
Delete unnecessary data Sometimes users will call you with irrelevant questions. Sometimes, they might give out more information than was necessary. At some point, information gets too old and essentially becomes useless.
Consider creating a process to securely remove such unnecessary data from your systems.
Secure data properly Make sure you follow best practices in regard to the security of personal data.
There are numerous measures you can use to achieve that — create internal policies, use encryption where possible, create access controls, use anonymization and pseudonymization, backups, cloud security, etc.
Security measures are too numerous to list, so it is best you consult your security service provider.
Be transparent with your end-users When your users call your employees, they should be aware, you are recording them and about their rights regarding personal data. There are many ways you can achieve clarity and transparency with your users, such as notifying them during the call, providing a privacy policy or short privacy notices explaining your reasons to track and record the call.
You must consider, whether it is appropriate to ask for user consent for call recording and how you can manage it.
Be very transparent about location tracking Wire plus allows you to enable location tracking when the app is used.
This setting is turned off by default.
If you would like to use location tracking you must make such use transparent to your employees and make sure that they are able to give explicit consent for such processing. Wire plus will give every employee a right to accept or reject location tracking personally on their device. However, you must ensure that when the employee provides consent, they do it voluntarily and without pressure. If you are using a different lawful basis for processing you must consider what such lawful basis entails and provide appropriate safeguards.
Be transparent with your employees Personal data of your employees it just as important as the personal data of your users.
When you integrate Wire Plus into your business processes, make sure your employees understand, that their calls are being recorded and know their rights regarding such recording.
Create an employee data protection policy It is often a good idea to review your internal data collection practices, relevant local and international data protection laws and create an internal policy that would describe your approach to employee data protection and people responsible for it.
Check local laws and court cases There may be many peculiarities and complexities surrounding local data protection laws and court cases that interpret them especially regarding the data, that might be considered sensitive, such as banking or medical information, political affiliations, etc.
You should consult local lawyers if you engage in such processing. Valid from 01.10.2019
Last editing: 04.28.2021