VoiceSage and GDPR Compliance

Why GDPR for VoiceSage?

Data Privacy really began in Europe in 1981 with the Council of Europe adopting the Data Protection Convention rendering the right to privacy a legal imperative.  In 1995, the European Data Protection Directive published Directive 95/46/EC which obliged each member state to create its own legislation and infrastructure for regulating the collection, storage and access to data held on individual citizens.  Hospitals, Banks and Government departments were already practicing personal data protection and security so personal data security and trust was nothing new.

This new 1995 directive had two main areas of weakness:

• Each EU state implemented the directive in its own way.
• It applied only to EU-based organizations.

GDPR began rearing its head in April 2016 amongst the business community when it was adopted by the EU as Regulation (EU) 2016/679.  The importance of this regulation is the protection of natural persons of the EU (people who live there) and the processing and free movement of their personal data and has a far-reaching effect on how businesses and individuals work with personal data.

As the Controller (owner or collector of the data) and Processor (a person or company that handles the data on behalf of a Controller) of personal data, it was extremely important for VoiceSage to be able to demonstrate to its customers its capability of protecting its own data, as well as that of its customers.

It is therefore extremely important for VoiceSage to demonstrate its ability to identify, manage and reduce the information security risks to protect its information and personal data assets .

What is Personal Data?

It is any information relating to an identified or identifiable natural person (Data Subject).  The GDPR clarifies this further:

“An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

Personal Data Rights

• The right to be informed – be clearly informed clearly what one’s personal data is being used for. This is usually provided in an organisations Privacy Policy.
• The right of access – organizations must provide individuals access to the data they hold on them without any charge.
• The right of rectification – if the data one holds on someone is incorrect, one must correct it and send that correction to any third parties with whom one shared the incorrect data.
• The right to erasure – a Data Subject can ask organizations to delete their data and prevent further processing of it.
• The right to restrict processing – Data Subjects control how and where organizations use their data.
• The right to data portability – Data Subjects must be able to export their data in an open format, eg. CSV.
• The right to object – Data Subjects can ask organizations to stop processing their data.
• The right to question or object to automated decision making – with the onset of artificial intelligence (AI), decisions are being made by algorithms and computers. This right gives a Data Subject the right to know if a decision reached was automated or not and if so, request and obtain human intervention, express their point of view or obtain an explanation of the decision and challenge it.

Lawful Processing in the GDPR

Under the new regulations, it’s up to the organization using the data to prove that they are doing so legally.  Much discussion around the GDPR cites explicit consent as necessary for any use of personal data.  Consent is only one of many requirements.  Five of the most important being:

• the individual gives their consent
• processing the data is necessary to fulfil or enter into a contract with the individual
• legal obligation makes it necessary
• task carried out in the public interest or through official authority makes it necessary
• processing the data is necessary to pursue the legitimate interests of the data controller

What does Consent entail?

• give individuals genuine choice and control over whether they give consent
• gather positive opt-in: pre-ticked boxes and similar ruses do not count as consent whereas double opt-in will provide greater certainty
• be clear and very explicit in stating what the individual is consenting to
• keep your requests for consent separate from other terms of service
• be specific and granular: a blanket catch-all will not do
• be clear and concise: there’s no room for deliberately hard-to-parse double negatives
• name any third party who will rely on the consent
• make it easy for the person to withdraw their consent, and tell them how they can do that
• keep evidence of the consent: who consented, when, how and what they were told at the time
• review the consent you have and refresh it if anything changes
• avoid making consent a precondition of using your service

Securing Personal Data at VoiceSage

With the growing prevalence of information security threats to businesses and individuals, VoiceSage began the ISO27001:2013 security journey in October 2017 and decided to combine the implementation of this certification with the attaining of GDPR compliance and work towards other certifications as required.

VoiceSage attained ISO27001 certification in February 2018 which emphasises the fact that VoiceSage has clear and efficient policies and procedures combined with a high level of security infrastructure in place to protect the personal data it processes and the people it employs.

While no technology or systems are infallible to the data ‘terrorists’, VoiceSage has procedures in place to act quickly and efficiently on detection of a data breach.

Further, VoiceSage has implemented a continuous improvement culture amongst its staff for the upskilling of Internet and data security and this culture is also embedded in the work we do.

ISO27001 and the VoiceSage staff are the keys to ensuring the Confidentiality, Integrity and Availability of a Data Subjects data at VoiceSage.

VoiceSage is GDPR compliant as we have implemented the additional policies, procedures and staff training that is required, on top of what was required for achieving our ISO27001 certification.  Once GDPR certification is available, VoiceSage will apply for certification.

Our policies and procedures (say what we do and do what we say) are instrumental in providing our customers, staff and suppliers with the knowledge that VoiceSage has implemented and is able to demonstrate its abilities as both a Controller and Processor of personal data.