On May 25, the EU’s General Data Protection Regulation passed (GDPR), dramatically changing compliance requirements and the way businesses protect consumer privacy on a global scale.
Now that we’ve seen the deadline for GDPR pass, it is fair to assess that the transition for companies and consumers alike has gone smoothly. But the challenge remains for businesses to properly implement GDPR in the long-term.
Businesses use many applications from e-commerce to sales support. But when you think about the lifeblood of an organisation, it’s communications. Like other applications, personal data is collected. So how can you balance your business requirements with the privacy protection required by GDPR? You can ease some of your worries by using a cloud communications service. Cloud communications providers, such as RingCentral, have a huge stake in getting this right. Our global business depends on it.
GDPR regulations might seem daunting. After all, you must obtain consent in clear, simple language for the collection of any personal data from an EU citizen or resident whose data is stored in or is collected in the EU. This consent can be withdrawn at any time. Under GDPR, individuals have these specific rights:
- Right of access. They can request to know whether data is collected, specifically what is the data collected, and the purpose of the collection
- Right to be informed. They have the right to know how personal data is used
- Right to erasure. They can request data is erased and further use of the data eliminated. This is sometimes called the “right to be forgotten.”
- Data portability. They can download and move their data elsewhere at no charge.
- Right of rectification. They can have personal data corrected if it is inaccurate or incomplete
While initially arising because of the enormous amount of data collected, stored, and sold by large consumer websites and applications, the regulations apply to all companies, even those that are not based in the EU, that collect personal data in European countries.
Why GDPR is important in communications services
Today’s communications apps store more data than most realize. Until recent decades, the data stored for telephony was limited to the caller’s phone number, the number they called, and the call’s duration. That’s it. Written communication was not stored at all, except by carbon copies and photocopies. Frankly, even documents on a computer could be difficult to find if misfiled somewhere.
Over the years, technology has created more flexible and different modes of communication. Cloud communications solutions offer various capabilities from voice, text messaging, team messaging, video and voice conferencing and more from any device — land or mobile. The speed at which features are being added and enhanced with the power of cloud is accelerating to improve the user experience. In a cloud deployment, updates can be made regularly and with minimal downtime.
Convenience and mobility come at a potential cost to privacy. When someone connects to the system, data is collected about everything. We can tell where the call or meeting took place, what device — Android or iOS, what time zone, and very specifically who it is. The way that we move with our communication devices on our person lets someone be pinpointed wherever they are at any given time, pinging cell towers and networks as we move.
GDPR is a huge move toward individual privacy rights, but it’s not alone. Other organisations are also pinning down data for privacy reasons: FINRA has privacy regulations surrounding financial information, and the United States Congress has passed tight regulations governing the privacy of health records with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Family Educational Rights and Privacy Act of 1974 (FERPA).
Implementing GDPR in communications services
Today’s corporations have selected from three approaches to telecommunications: on-premises, hosted, and, cloud. GDPR considerations are different for each.
GDPR in an on-premises environment
In an on-premises communications environment, all software, equipment and data is housed on your property. You buy it, you maintain it, you store the data — presumably with some maintenance contracts — but it’s yours. What that means is that GDPR compliance rests on your shoulders. However, the data map of your data will not be easily accessible. You must work in partnership with your vendors to find it. In fact, even when you think you have tackled all the Personally Identifiable Information (PII) stored, you could purchase another reporting module from a vendor and find a trove of data you didn’t know about. You must devote corporate resources to develop and maintain regulatory compliance.
If your on-premises vendor provides a full update you might be able to have an updated system, but be careful. On implementation, GDPR already will be obsolete. Known problems with the law have yet-to-be-known fixes. If you update now, you surely will need to perform another costly update soon after. In my opinion, the move toward individual privacy rights of stored data has dealt yet another blow to on-premises communications because of the necessarily slow response to changes in the current regulatory and technology environment.
GDPR in a hosted environment
On a cautionary note, hosted communications services are not equivalent to cloud communications services. Although hosted communications is not stored fully within your walls, this hybrid solution could give a company a false sense of security when it comes to GDPR. When your carrier controls the system, you might believe that the carrier will update the software and take care of compliance issues in a timely manner. In reality, that’s not how it works. Hosted environments can have all the problems of the on-premises environment, but without any guarantee that the software you are using is up-to-date — and, therefore, compliant. In fact, carriers can be years behind software releases. How do you certify your hosts are in compliance? And, with GDPR, that PII storage is still your problem, but you might not have the tools to solve it.
GDPR in a pure cloud communications environment
Cloud communications providers are focused on maintaining a good experience for customers so they can manage their own business and not their worry about their telecommunications. Cloud communications solutions offer the same advantages as other Software as a Service (SaaS) offerings:
- The architecture is the same for all customers globally
- The work and cost of any change or feature, regulatory or otherwise, is shared across all customers
- Changes are not hard-coded into any device and can be updated with minimal disruption any time it is required
For example, in the RingCentral GDPR solution, customers can view and edit PII directly within our products. The site administrator submits a request to delete, and the system provides a receipt.
By doing this, cloud communications providers, not only save you time, but mitigate the risks involved in trying the implementation of GDPR completely on your own. Because data protection is important to us at RingCentral, our processes have been updated to include the ability to help address data subject rights, and ensure more comprehensive data protection standards for customer data.
GDPR in a multi-cloud environment
Instead of going with a cloud communications provider, some companies form a self-identified, best-of-breed solution using several cloud vendors. That might mean one cloud telephony company, another for video conferencing, another for team messaging, and so on. In that case, each vendor might have private data stored. Instead of simplifying business, this can add complexity. Unless the data is unified, you still need someone to coordinate and consolidate the privacy requirements and requests among all these vendors.
While GDPR compliance is a big, broad challenge, partnering with a provider who has worked through many of these issues with care can help you meet your GDPR obligations. Beyond technology, commitment matters.
Cloud communications providers care about privacy more than is required by regulation because our customers require it. RingCentral dedicates people to follow security and compliance trends and regulations around the world. We will monitor any changes to GDPR — and others that are sure to follow — so we can make the necessary adjustments to our systems and business processes for our customers.
There is no guarantee that every cloud service will live up to the promise, but done right cloud solutions can ease GDPR compliance for your company’s communication and collaboration services.
Guest Blog by Curtis Peterson, RingCentral SVP Cloud Operations
