As a part of Invoca’s continued commitment to security and data privacy, we’re proud to report that we are in compliance with GDPR, which will go into effect on May 25. We feel that a critical component of this commitment is transparency, so we would like to share some background on GDPR, what our compliance process looked like, and how GDPR affects Invoca customers.
What is GDPR?
The EU General Data Protection Regulation (GDPR) is a new EU regulation that will impact the way many companies collect and process personal data. The scramble to get in compliance has put the internet in a bit of a tizzy, but in the end, it should simplify data protection compliance for companies that do business in the EU.
The reason for this is that the previous Data Protection Directive that GDPR replaces was put in place in 1995, which was a few years before the internet was in wide use. Since then, personal data has been commoditized in a way that was not exactly on the minds of regulators in the 1990s, making the rules incompatible with the way we do business today. As the name implies, it was also a “directive”, which means it was up to the individual EU member states to implement the rules the way they saw fit, resulting in a patchwork of regulation that was difficult for organizations to navigate.
The aim of GDPR is to rectify both of these shortcomings by getting data privacy regulations up to speed with the digital age and simplifying compliance by creating a universal set of rules for all of the EU. The big change for companies outside the EU is that the new regulations now apply to all organizations that do business with EU residents, where the old directive only applied to companies that were actually based in the EU.
Under GDPR, organizations must ensure that personal data is gathered legally and under strict conditions. Data processing must comply with these six principles and satisfy at least one of the following processing conditions:
- Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
- Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
- Legal obligation: the processing is necessary for you to comply with the law or legal process (not including contractual obligations).
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
Explaining the finer points of GDPR are more fodder for a novel than a blog post, but you can get all the details at the EU GDPR Information Portal.
There is no doubt that getting in compliance is a complex process that requires a concerted effort at the organizational level. Given the value of data in the digital age, these changes are needed to both protect consumers and create a simpler compliance environment for companies.
How GDPR Affects Invoca Customers
So, how will things change for Invoca’s customers on the May 25, 2018 GDPR compliance deadline? In terms of an Invoca customer’s experience in the platform, it will be business as usual. Our justification for processing your data falls under the “contract” principle, as our customers are “controllers” and we are their “processor,” processing data solely in accordance with their instructions which are documented by the services agreement.
And Invoca’s practices remain compliant as we only transmit data to the controller of the data (you, the Invoca customer) and we only use first-party cookies on your properties.
Invoca will continue, as it always has, to process data solely in accordance with its customers’ instructions and for no other purpose commercial or otherwise. In terms of the relationship between Invoca and its customers, however, we believe those relationships will get even better with Invoca’s increased commitment to data privacy and security. Here are some of the ways we’re accomplishing that:
- Invoca will be able to respond to valid data subject requests from its customers’ customers;
- Invoca will execute a Data Processing Addendum (DPA) with its customers to contractually commit itself to compliance with the GDPR as it relates to a specific customer;
- Invoca will continue to document and improve its data handling best practices, to fortify its strong preexisting data security and privacy pedigree;
- Invoca will continue to maintain technical and organizational security measures that meet the standards of the GDPR.
Our GDPR Compliance Process
Getting in compliance with GDPR is huge undertaking for any organization. Fortunately for many of us at Invoca, our preexisting compliance posture — comprised of being PCI compliant, HIPAA compliant and Privacy Shield certified — made our transition into GDPR compliance more straightforward.
The Invoca call intelligence platform is the only one of its kind that is fully PCI and HIPAA compliant. Our machine learning engine has processed hundreds of millions of phone conversations across multiple industries, and our methodology of processing call data is in line with strict levels of data governance. Furthermore, the exercise of achieving GDPR compliance also enabled us to improve best practices related to managing data, resulting in an even stronger compliance posture.
So, what did coming into compliance with the GDPR look like? What was it about the compliance effort that created opportunities to strengthen data privacy and security best practices? To start, a key initial activity of the GDPR compliance effort was a comprehensive data mapping analysis. This required an eight-person internal Invoca team to interview key stakeholders from every department and map out the organization’s data flows.
The finished data map enables the organization to see where data is coming in, where its being stored, whether and when it is flowing out and who is managing the data. The exercise also requires internal stakeholders to justify the data’s existence. What emerged is an organization that’s more confident in its data handling practices which, in conjunction with the creation or improvement of policies, procedures and documentation, resulted in a stronger position of compliance.
The long and short of it — Invoca’s customers and its vendors will be able to rest assured that Invoca is committed to achieving a high standard of data security and privacy and that our products and practices meet all GDPR standards.