Come May next year, every business in the UK will be subject to strict new EU regulations on data protection. Despite Brexit looming, the government has confirmed that the General Data Protection Regulation (GDPR) will be adopted, replacing current laws on data handling.
With its broad definition of what constitutes personal data, virtually every business will be affected by the GDPR. Handling and storing any personal data, be it employee records, customer details, even the names and email addresses of business contacts, will mean you have to comply with beefed-up rules aimed at protecting privacy.
The GDPR replaces the Data Protection Act. The main differences will be as follows:
- An expectation for businesses to plan for data protection ‘by design’, and be able to document how they do so
- Greater accountability for data breaches, including a requirement for businesses to report breaches within 72 hours
- Much stiffer penalties – a maximum fine of £20 million, compared to £500,000 under current UK law
- An expectation on businesses to gain consent before processing, using or storing personal data, and explain what the data is being used for if asked
- An expectation on businesses to only use data that is necessary, and to delete it once it is no longer useful
- A requirement for all organisations to delete data held on an individual if they request it
Many of these changes will require all businesses to adopt new policies, protocols and working practices to ensure they remain compliant. For the UCaaS industry, there are particular implications around the technology, but there are also great opportunities for vendors, resellers and service providers to add value by helping end users with compliance.
New responsibilities
One of the main issues facing cloud communications once the GDPR comes into effect is the way that a cloud network transmits and stores data outside a client company. As Ian Moyse, UK sales director at Natterbox, points out: “The GDPR is going to affect everyone in UCaaS, both customer (data controller) and cloud vendor (data processor).”
Ian here alludes to the fact the GDPR has in part been designed to update data protection in the light of new technologies like the Cloud. It recognises that hosted services have created a new relationship whereby one business handles and uses data as part of its day to day operations (the data controller), while another runs the technical side of the processing and storage on their behalf (the data processor).
These new types of relationship in computing and communications technology have created two separate fronts in the battle to protect data – what happens in the client company and what happens in the provider’s data centre. The GDPR defines specific roles, responsibilities and levels of accountability for each.
Ian feels confident, however, that UCaaS vendors are well placed to meet these new responsibilities because security has always been a top priority in the development of cloud communications. “Security and data questions around the Cloud have remained the top questions and concerns for the past 10 years, but the cloud market has continued to grow and expand at an accelerated pace. What does this tell us? That the needs of customers for high security, protection and comfort can be met in most cases.”
Kris Wood, EMEA VP at Fuze, believes UCaaS vendors need to do all they can to take the weight of regulatory compliance off customers, and ensure the way their systems handle and process data are watertight.
“Cloud security and GDPR pose challenges for technology companies, but it’s up to vendors to work out the complexity for our customers and make it simple for them to do business,” he said.
“It’s important to follow the discussions about data privacy and the regulatory environment closely and for technology organisations to design their infrastructures in such a way that the market will accept it. When it comes to the tech, this means geographically-load balanced, multi-data centre architecture that ensures 99.999% uptime and business continuity, designed to support a number of security and data privacy compliance regulations.”
In safe hands
Marcus Gallo, marketing lead for Cisco Spark and Cisco Spark Hybrid Services, believes much of the technical infrastructure now built into UCaaS solutions is already more than compliant with the demands of GDPR.
“Often cloud-based services are more secure than on premises solutions because vendors are specialists in security as well as communications,” he said. He points to the example of end-to-end encryption, which protects against breaches of personal data at all points in the communication trail.”
“Cisco Spark uses industry-leading encryption to ensure that messages, files, and whiteboards remain confidential, available, and secure at all times,” said Marcus. “The Cisco Spark app encrypts your data before it leaves your device, and data stays encrypted when it is in transit to our cloud servers – when we process your data (data in use) and when we store it (data at rest).
“Also, the identity and access management service within Cisco Spark provides one of the key pillars of the security protection for customers. Only users who successfully authenticate and are authorized to join a Cisco Spark space or meeting are given access.”
Rob Pickering, CEO of IPCortex, believes the trend towards open architecture in UCaaS solutions, allowing comms tools to be integrated in the context of other software platforms, also gives end users more control and oversight over how data is being shared and communicated.
He said: “Contextual comms could play an interesting role in how businesses deal with these challenges [from the GDPR] because it makes it easier to define how and when people communicate, as well as helping to define the specific data that will be shared. Being able to clarify the communications in this way will greatly enhance the ability of organisations to assess the risks associated with that data and apply the appropriate levels of control.”
Picking up on this theme, Ian Moyse offers the example of call recording helping with compliance on consent. “Cloud telephony, for example, can bring a great benefit to those seeking GDPR compliance,” he said. “Having a recording of a customer’s verbal consent to use and store their data will be essential to mitigate any complaint where no other proof exists.
“The Cloud enables these recordings to be stored cost effectively and linked automatically to customer CRM records, making it quick to retrieve when required, perhaps under a Subject Access Request.”
Ready and waiting
The consensus from cloud communications vendors, then, is that the GDPR will bring challenges, both to end users and to the channel. However, they also believe that the security infrastructure within cloud technology is more than ready for the tightened regulations, and even believe UCaaS solutions can help businesses with compliance.