GDPR

The General Data Protection Regulation (GDPR) is an EU legal framework that set guidelines for the collection and processing of personal information of individuals within the European Union (EU). GDPR sets out the principles for data management and the rights of individuals, it covers all companies that deal with data of EU citizens, even if the company is based outside of the EU.

What rights and controls do EU citizens have?

GDPR provides individuals with increased rights and control over how their data is used. GDPR includes the following rights for individuals:

The right to be informed
The right of access
The right to rectification
The right to be forgotten
The right to restrict processing
The right to data portability
The right to object
The right not to be subject to automated decision-making, including profiling

In addition, businesses wishing to record personal data will need to ensure that at least one of the following six conditions be met to legally record the data:

Individuals involved in the call have given consent to be recorded
Recording is necessary for the fulfillment of a contract
Recording is necessary for fulfilling a legal requirement
Recording is necessary to protect the interests of one or more participants
Recording is in the public interest, or necessary for the exercise of official authority
Recording is in the legitimate interests of the recorder, unless those interests are overridden by the interests of the participants in the call

How does this affect businesses?

Any business that processes personal data will need to ensure they have policies and processes in place to meet the rights of the individual’s data they hold. In addition, they need to ensure they have a legal right to store the data, they are not storing data on minors, and that they have processes in place to report data breaches.

How does GDPR affect MiVoice Office Application Suite?

There are various features within the suite which can store personal data. These include:

Contact Directory - Custom data fields can be inputted along with telephone numbers and other contact information
Call Recordings - Personal data could be discussed on calls and stored in call recordings. Calls can also be tagged with custom data and notes
Call Reporting - Telephone numbers can contact/speed dial names are stored within the call history system
Phone Manager Outbound - Campaign data can contain personal information if imported in addition to the contact information

Any business that stores personal data (including recording telephone calls) will need to ensure that they have a legal right or requirement to do so. Where data storage (such as call recording) is not explicitly required by regulations (such as MIFID II), consent will usually be required.

Any personal data stored in the system will need to be documented as part of the business’ GDPR policies, with specific references on how data can be identified and modified/removed if required.

How consent for data storage is sought, recorded and managed is of vital importance. The ICO has published a detailed guidance on consent under GDPR:

https://ico.org.uk/media/about-the-ico/consultations/2013551/draft-gdpr-consent-guidance-for-consultation-201703.pdf

If existing forms of consent held by businesses do not meet the new requirements, they must be refreshed so that they meet the new GDPR requirements.

Employee User Data

The system will store limited personal data for users/employees. User accounts configured on the system will have an email address for the employee but no other specific information about the user. The system does store audit information about what users of have done; when they logged in, settings changed, recordings played etc.

In addition to usage data, any call recordings involving employees may contain personal data if discussed.

Customer Data

It is possible for the system to store the personal data of a company's customers in 3 locations:

Contact Directory Data - Imported into the system
Call Data - Logs of calls to/from the customer including their phone number and possibly their name if there is a contact match. This could also include custom notes added or data tagged to a call using the API
Call Recordings - Any information about the customer recorded on a call

It is important to understand what information is being collected by the call logging/recording system to ensure that any customer requests can be responded to.

Customer data can also be stored in the Mitel Phone Manager Outbound system. For information on this, please refer to the Mitel Phone Manager Outbound Technical Manual.

How to use the MiVoice Office Application Suite to help meet GDPR requirements?

The following sections outline how GDPR affects the system and how various features within the system can be used to help companies comply with GDPR requirements.

Document what is stored and ensure it contains no sensitive data

The previous section listed what types of personal data may be stored in the system. It is important to add to your existing GDPR documentation the data that is being stored in the suite. If any of the features listed are going to be used as part of the MiVoice Office Application Suite implementation (Contact Directories, Call Notes, Call Tagging, Call Recording, Phone Manager Outbound), the type of data stored must be documented.

The call data fields and contact data fields are not designed to store sensitive personal information. Ensure that any data imported into a contact directory or added in a note or tag field against a call is not classed as sensitive and does not relate to a Minor.

Consent / Provide callers with option to opt out of recordings

It is important to ensure that you have consent to record customer information (including recording calls) and that they have opted in. If required, Mitel can provide solutions to allow callers to opt in at the beginning of a telephone call. Contact your Mitel Sales Representative for more information.

Secure/Audit Access to the System

It is important to ensure that only the relevant users have access to the system and that they only have the minimum permissions that they require. In addition, ensure that the server the solution is installed on is appropriately secured and that no unauthorized users can gain direct access.

For more information on securing the server, please refer to the Best Security Practice section.

Tag recordings with Customer ID for Transparency

To ensure that customer records can quickly and easily be identified, the Communication Gateway API can be used to tag calls with a customer ID or other method of identification which offers improved searching over caller ID/telephone number searching.

Tools Available to Modify/Remove Data

Tagged data fields against call records and contact data can be updated or removed from the system. To remove call recordings themselves, they must be manually deleted from the storage medium at this time.

End-User Training

Ensure that all users of the system are trained on data protection and are informed that their own calls are being recorded (if applicable). Provide users with a non-recorded extension that they have access to so that they can make personal calls that are not recorded.

Update Internal Documents on where data is stored

When installing the system, ensure that your GDPR policy documentation is updated to make reference to any personal data that is being stored within the MiVoice Office Application Suite.