The EU General Data Protection Regulation (GDPR) comes into effect on 25 May 2018, replacing the now-outdated Data Protection Act of 1998 (DPA). The GDPR is a unified piece of legislation, governing the activities of any organisation that handles or processes the personal data of individuals living in the EU.
The regulation guarantees individuals more extensive rights over how their personal data is used: the right to be forgotten (as in, to request that an organisation delete the data it holds on an individual); the right to edit incorrect information; and the right to know what data an organisation has collected and in what way it will be used. Crucially, the GDPR makes data collection an opt-in decision to be made by the individual, meaning that organisations must specifically ask people to give consent to data usage.
Almost every organisation doing business in Europe will be impacted by the GDPR in one way or another. Yet many are still unaware of what exactly they need to do. Indeed, 61% of companies have not yet begun the process of GDPR implementation.
This is worrying, considering that fines for non-compliance could be as high as €4 million or 4% of annual turnover, whichever is greater. So it’s crucial that businesses understand how they can help achieve compliance, and how voice recognition and identification solutions in particular can help ensure they don’t get caught out.
Businesses collect a lot customer data over the phone. And while call recording has been standard practice for years now, the results not searchable. For example, finding out when a customer gave their address over the phone might potentially require hours of tedious manual trawling through call logs.
When GDPR comes into effect, such a process is no longer be tenable. If an individual wishes to know about the personal data collected from them during a series of phone calls (as the GDPR would fully entitle them to do) the amount of time required to determine that through manual analysis of call audio would be significant. And it would almost certainly fall outside of the mandated time period for subject access requests.
This is further complicated by the fact that the GDPR requires businesses to allow individuals to access their data through a self-service system. So the challenge becomes twofold: how can businesses immediately get hold of the information they have collected on an individual? And how can they allow people to access that information themselves, and make changes to it if necessary?
The answer lies in voice recognition and intelligence technologies.
Voice-to-text solutions, for example, can immediately take a phone call and convert it into an easily-searchable digital form. Which means that businesses can very quickly keyword search through all phone correspondence to understand how much information has been collected on an individual. What’s more, information that exists in a text format can easily be shared with that individual, as opposed to supplying them with hours and hours of call logs. And perhaps most importantly, voice intelligence technology can be used to demonstrate compliance with GDPR, a crucial aspect of the regulation.
For example, if a customer is asked over the phone to opt-in to having their data collected and used by a business, the call recording will show that it sought and gained the consent. And with voice-to-text solutions, proving that would be a simple matter of keyword-searching through the call log database. Regardless of when the business is asked to prove consent.
Every business has its own challenges. So the precise implications of GDPR will differ from organisation to organisation. Which is why the first step of the compliance process should be to conduct an internal audit to understand the areas of the business that will be affected by the regulation.
A risk-based analysis on the effects of the GDPR will help businesses plan appropriately for where they can address, eliminate or otherwise mitigate risks. It is also time to start raising awareness internally of the likely impact of the GDPR on personal responsibilities within the organisation. Over half (53%) of businesses have suffered insider attacks on their network in the last year, meaning that the internal flow and access of data should be a key consideration.
Finally, it’s worth remembering that it’s not just organisations operating within the EU that will be affected. Any business, wherever it is in the world, that processes or otherwise handles the data of individuals in the EU will sit under the purview of GDPR. It is a wide-reaching piece of legislation with potentially global reach. And while voice intelligence solutions are a useful tool – the business itself needs to understand where that tool can most effectively be deployed.
The main thing for all organisations to consider is that current provisions will not be sufficient. The GDPR updates and supersedes the Data Protection Act, a piece of legislation originating in the nineties. Compliance with the DPA will in no way guarantee compliance with the GDPR. So businesses must act now to update their processes and technology or face potentially disastrous consequences.
