Guest Blog by Curtis Peterson, RingCentral SVP Cloud Operations
On May 25, the EU’s General Data Protection Regulation passed (GDPR), dramatically changing compliance requirements and the way businesses protect consumer privacy on a global scale.
Now that we’ve seen the deadline for GDPR pass, it is fair to assess that the transition for companies and consumers alike has gone smoothly. But the challenge remains for businesses to properly implement GDPR in the long-term.
Businesses use many applications from e-commerce to sales support. But when you think about the lifeblood of an organisation, it’s communications. Like other applications, personal data is collected. So how can you balance your business requirements with the privacy protection required by GDPR? You can ease some of your worries by using a cloud communications service. Cloud communications providers, such as RingCentral, have a huge stake in getting this right. Our global business depends on it.
GDPR regulations might seem daunting. After all, you must obtain consent in clear, simple language for the collection of any personal data from an EU citizen or resident whose data is stored in or is collected in the EU. This consent can be withdrawn at any time. Under GDPR, individuals have these specific rights:
While initially arising because of the enormous amount of data collected, stored, and sold by large consumer websites and applications, the regulations apply to all companies, even those that are not based in the EU, that collect personal data in European countries.
Today’s communications apps store more data than most realize. Until recent decades, the data stored for telephony was limited to the caller’s phone number, the number they called, and the call’s duration. That’s it. Written communication was not stored at all, except by carbon copies and photocopies. Frankly, even documents on a computer could be difficult to find if misfiled somewhere.
Over the years, technology has created more flexible and different modes of communication. Cloud communications solutions offer various capabilities from voice, text messaging, team messaging, video and voice conferencing and more from any device — land or mobile. The speed at which features are being added and enhanced with the power of cloud is accelerating to improve the user experience. In a cloud deployment, updates can be made regularly and with minimal downtime.
Convenience and mobility come at a potential cost to privacy. When someone connects to the system, data is collected about everything. We can tell where the call or meeting took place, what device — Android or iOS, what time zone, and very specifically who it is. The way that we move with our communication devices on our person lets someone be pinpointed wherever they are at any given time, pinging cell towers and networks as we move.
GDPR is a huge move toward individual privacy rights, but it’s not alone. Other organisations are also pinning down data for privacy reasons: FINRA has privacy regulations surrounding financial information, and the United States Congress has passed tight regulations governing the privacy of health records with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Family Educational Rights and Privacy Act of 1974 (FERPA).
Today’s corporations have selected from three approaches to telecommunications: on-premises, hosted, and, cloud. GDPR considerations are different for each.
In an on-premises communications environment, all software, equipment and data is housed on your property. You buy it, you maintain it, you store the data — presumably with some maintenance contracts — but it’s yours. What that means is that GDPR compliance rests on your shoulders. However, the data map of your data will not be easily accessible. You must work in partnership with your vendors to find it. In fact, even when you think you have tackled all the Personally Identifiable Information (PII) stored, you could purchase another reporting module from a vendor and find a trove of data you didn’t know about. You must devote corporate resources to develop and maintain regulatory compliance.
If your on-premises vendor provides a full update you might be able to have an updated system, but be careful. On implementation, GDPR already will be obsolete. Known problems with the law have yet-to-be-known fixes. If you update now, you surely will need to perform another costly update soon after. In my opinion, the move toward individual privacy rights of stored data has dealt yet another blow to on-premises communications because of the necessarily slow response to changes in the current regulatory and technology environment.
On a cautionary note, hosted communications services are not equivalent to cloud communications services. Although hosted communications is not stored fully within your walls, this hybrid solution could give a company a false sense of security when it comes to GDPR. When your carrier controls the system, you might believe that the carrier will update the software and take care of compliance issues in a timely manner. In reality, that’s not how it works. Hosted environments can have all the problems of the on-premises environment, but without any guarantee that the software you are using is up-to-date — and, therefore, compliant. In fact, carriers can be years behind software releases. How do you certify your hosts are in compliance? And, with GDPR, that PII storage is still your problem, but you might not have the tools to solve it.
Cloud communications providers are focused on maintaining a good experience for customers so they can manage their own business and not their worry about their telecommunications. Cloud communications solutions offer the same advantages as other Software as a Service (SaaS) offerings:
For example, in the RingCentral GDPR solution, customers can view and edit PII directly within our products. The site administrator submits a request to delete, and the system provides a receipt.
By doing this, cloud communications providers, not only save you time, but mitigate the risks involved in trying the implementation of GDPR completely on your own. Because data protection is important to us at RingCentral, our processes have been updated to include the ability to help address data subject rights, and ensure more comprehensive data protection standards for customer data.
Instead of going with a cloud communications provider, some companies form a self-identified, best-of-breed solution using several cloud vendors. That might mean one cloud telephony company, another for video conferencing, another for team messaging, and so on. In that case, each vendor might have private data stored. Instead of simplifying business, this can add complexity. Unless the data is unified, you still need someone to coordinate and consolidate the privacy requirements and requests among all these vendors.
While GDPR compliance is a big, broad challenge, partnering with a provider who has worked through many of these issues with care can help you meet your GDPR obligations. Beyond technology, commitment matters.
Cloud communications providers care about privacy more than is required by regulation because our customers require it. RingCentral dedicates people to follow security and compliance trends and regulations around the world. We will monitor any changes to GDPR — and others that are sure to follow — so we can make the necessary adjustments to our systems and business processes for our customers.
There is no guarantee that every cloud service will live up to the promise, but done right cloud solutions can ease GDPR compliance for your company’s communication and collaboration services.
Guest Blog by Curtis Peterson, RingCentral SVP Cloud Operations