10. July 2018 Blog

CloudTalk and GDPR: How to get ready?

CloudTalk and GDPR, how to prepare?

In the previous blog post, we covered the basics of GDPR and its impact on anyone dealing with personal data. Now we will tell you what measures CloudTalk has taken to safeguard your data and what features we have created to make it easier for you to become GDPR compliant.

What has CloudTalk enhanced data protection?

Obviously, the stage of analysis and implementation was preceded by extensive study of the whole issue and new rules. When we fully understood what GDPR actually means for CloudTalk, we identified several areas which we needed to handle:

  1. Data storage and processing: Data stored in our systems need to be minimized. We made sure that all our services have access only to the data which they really need. We have especially focused on ensuring that a service that has access to personal data really needs them (e.g. invoicing, API, etc.). Each service also has to erase personal data once it no longer needs them.
  2. Access control: Personal data in any form can be accessed only by persons who actually need to work with the specific data, e.g. employees who deal with invoicing don’t need access to recorded calls.
  3. Data deletion: If you ever decide that you no longer need CloudTalk, we will delete all your data. Of course, we will be happy to welcome you back if you decide to start using CloudTalk again. But once you leave and decide to come back after some time, the original data will already be deleted in compliance with GDPR.
  4. Security: We have enhanced the security of data transfers and storage. Your data are transferred exclusively through encrypted and secured connections. Call recordings and similar data are also encrypted. We reviewed all third-party services that we use and made sure they are GDPR compliant.
  5. Audit Log: Any access to your data will be recorded. You can easily monitor who accessed what data and when.
  6. Staff training: Our key staff received GDPR trainings to become familiar with the rules and to be able to suggest changes to further enhance our data safeguards.
  7. Sub-contractors: We started to review our contractual sub-contractors to make sure that they are ready to safeguard personal data by using complex technological and organizational measures. We have been documenting all the platforms that we use to provide our services.
  8. Processing agreement: We have been revising our personal data protection policies to cover all rules imposed by the GDPR. We will soon send you a processing agreement that you will need to be compliant with GDPR.

Of course, there are other issues that are relevant for us in terms of GDPR, but the above-mentioned list contains all the major changes that are also most relevant for you.

New features that will help you comply with GDPR:

We have created new features to help you make sure that you comply with GDPR.

  1. Call recordings can be deleted: If you need to delete communication with customers, you can easily do it on your own manually or through our API. Once you delete a recorded phone call, it will be deleted from all our services.
  2. Audit Log: We have created a new interface to help you monitor who accessed your data. You will be able to see who and when accessed your data in CloudTalk and what kind of data they accessed.
  3. Access to recordings: You can specify which agents have access to recorded calls and whether they can just listen to them or download them as well.
  4. Customer data export: Your clients are registered as Contacts. You can easily export the whole history of communications with a specific client into an Excel file.

GDPR and you as our client

There’s another area related to GDPR that is relevant for your business. Unfortunately, this is something that CloudTalk cannot do for you, because it is linked to the way you handle customer data.

Consent or other legitimate interests related to personal data processing which is essential for your business.

You need to make sure that CloudTalk can be accessed only by people who really need to see interactions with your clients. It is also necessary that you set-up a process in case your clients no longer wish to be your clients and ask you to delete all their personal data, so that you can meet this request. You should also make sure that you have clients’ consent or legitimate interest in processing personal data (for example to record phone calls or send text messages). Although this is quite standard procedure, we recommend you to use SSL protocol to secure and encrypt all your communications. Also make sure that you have express consent to send marketing communications to your clients.

How can CloudTalk help you and our recommendations:

  1. Access control: All employees should use their own user account to access CloudTalk, especially for higher access levels – admins, supervisors, etc. You can set up access rights to all your staff based on what rights they really need.
  2. History of communications – download or deletion: 
    • In terms of personal data history, only the two following points are relevant for you:
      • You have to be able to provide clients with the data inventory that you hold about them upon request
      • You have to be able to delete any records related to the particular person upon request, be it a current customer or a former customer.
  3. Data storage and processing:  You have to make sure that you have legal basis, for example consent, to store personal data in CloudTalk. You will probably have to inform your clients of this fact and include it in your contracts, general terms and conditions or any other document which specifies your data protection policy.

Our newly-developed features which we described in the previous blog post  will definitely help you meet all these requirements. 

Keep following our blog, we will gradually cover specific business areas and the impact that GDPR has on them, as well as tips on how to be GDPR compliant.

More articles from the GDPR series:

  1. GDPR: What you should know about the new Data Protection Act 
  2. CloudTalk and GDPR, how to prepare? (you’ve just read it)
  3. GDPR and e-commerce