General Data Protection Regulation (GDPR) takes effect on 25th May, 2018, and as our service requires your input and processing of your personal information, we want you to understand that we take GDPR very seriously.
What is GDPR?
GDPR is a comprehensive set of policies designed to safeguard the privacy of citizens of the EU.
The following key principles are at the core of compliance with GDPR:
Specifically, our compliance to GDPR grants you the following rights as an EU citizen:
- The right to be informed about what personal data we intend to maintain, why access to that data is required and how you intend to process it.
- The right of access to the personal data that we hold about you, at no extra cost.
- The right of rectification of inaccuracies in your personal information.
- The right to erasure of your personal information from our systems, and third party systems to which this data may have been propagated.
- The right to restrict processing of your personal data.
- The right to data portability
- The right to object to further processing of your personal data.
- Rights regarding automated decision making
Information Security
The GDPR requires VoiceRules to take necessary measures to ensure a high level of information security. If a business saves or processes the personal data of EU citizens, they are then accountable for securing this data as per industry best practices.
Access logs should be maintained for operations carried out on the personal data of EU citizens. Any data breach must be communicated to impacted users quickly and transparently.
Data Minimization
A key theme that runs across all of GDPR is ‘Data Minimization’. That is to say, companies should only hold the bare minimum personal information needed by you to offer their services effectively.
Additionally, personal data should only be maintained for the period necessary, and should be deleted once its utility is lost.
Today, data storage is inexpensive, as a result modern systems and products tend to maintain data in excess, and for longer periods of time. We have carefully carried out an audit of our data systems and logging strategy to comply with this requirement.
What is VoiceRules doing to get GDPR ready?
VoiceRules has been working on a dedicated product roadmap that places customer consent, information security and data minimization at the very core of it’s communications platform.
Here are the key initiatives and product features and details on how we are preparing to be compliant by May 25th 2018:
Access Control
Your VoiceRules dashboard lets you can track usage, listen to voicemail, update billing information, download invoices, and much more.
We realize the need to ensure members of your organization have access only to the dashboard features and data which is relevant to their role in your organization.
We shall soon be launching the all new VoiceRules management console with advanced user management features like Multi User Login, Single Sign On, Role Based Access Control and User Activity Logs.
Encrypted Storage For Recordings & Transcripts
Recordings and transcripts of your Voice calls can hold sensitive information pertaining to your end users.
VoiceRules hosts your voice recordings and transcripts on Amazon S3. All recordings will be encrypted at rest and securely stored in AWS S3 buckets.
Revised MDR and CDR archival processes
Going forward, VoiceRules will maintain MDRs and CDRs in its transactional databases for a period of 90 days only. MDR/CDR information in transactional databases is required for billing, accounting purposes by us and our customers.
We feel that the utility of this data in our transactional databases is lost after 90 days, and hence shall be deleting it at the end of the 90 day period.
Redacted MDRs and CDRs will be archived for much longer time periods in our data warehouse. This means that the last 3 digits of the source and destination numbers shall be masked in the CDRs and MDRs maintained in our data warehouse.
We recommend that you extract MDRs and CDRs from the VoiceRules system within 90 days from generation if you intend to maintain this information at your end. Requesting for MDRs and CDRs that are older than 90 days will involve a longer turnaround time and the data provided will be redacted.
Data Security Audits
We’re getting all our systems and processes audited for GDPR compliance. Our objective is to have all personal data in our systems secured and encrypted.
Revised Account Deletion Policy
We are reworking our internal and external processes to align with the GDPR requirements to make sure that if you decide to close your account with VoiceRules, your data will be deleted from all VoiceRules systems, except where other laws (legal requests or taxation and accounting) require us to keep it.
As per the new process,
- Account closure requests from customers in good standing will be addressed within 15 business days.
- Personal data in third party systems will be deleted.
- Usage data (CDRs, MDRs, Debug logs) and billing history (invoices, transaction logs) will be maintained for a period of 90 days from account closure.
- All other identifiable data associated with the customer will either be deleted or redacted from our databases.
Conclusion
As your communications solution partner, we understand that our compliance with GDPR is critical for you. We are making all the efforts to ensure your data stays safe. We will continue to share regular updates about upcoming changes. If you have specific questions about our GDPR readiness roadmap, write to us at contact@voicerules.com