LeadDesk CEO, Olli Nokso-Koivisto’s thoughts
on the General Data Protection Regulations.
Even though data protection has been visible in the media for the past year, it important to remember that its roots are much further back. Originally, Data Protection Directive was adopted in 1995, and focuses on regulating the processing of personal data within the European Union. The new, General Data Protection Regulation, which was adopted in April 2016, will eventually replace the older version of the regulation and bring it closer to today’s data security requirements.
The primary objectives of the GDPR are to give people control over their personal data and to simplify the regulations, by unifying them within the EU. The directive and is planned to be enforceable starting in May 2018.
What will the effects be for LeadDesk?
On the technical side, we’re quite lucky. The new regulation is based on the German data protection directive, which we have been following ever since we entered the DACH market. The GDPR might even be a bit less strict than what’s required in Germany.
Some smaller details are still missing, so not everything is clear yet. We’re working together with local associations and data protection agencies, to make sure we get their views, right away when they come out with them.
What challenges do LeadDesk’s customer face?
As it looks now, there are some things that our customers will have to take into account. I feel that the most important ones are the right to be forgotten and documentation or responsibilities and measures to ensure data protection.
The right to be forgotten and the right to one’s data:
Currently, we’re considering the questions of what data this applies to; contact lists, call logs, blacklists?
As we see it, call logs and black lists don’t necessarily go under the personal data protection of the individual. For example, what happens if the consumer demands to be put on a blacklist and have all data wiped out? It’s not possible, because if all data is wiped out then even the data of your request would be wiped out.
The topic is very difficult, and can’t be solved alone. That’s why we’re working closely together with a both data protection agencies as well as direct marketing-, and call center associations, to validate our views.
Ultimately, our customers will have to make the judgment call, but at LeadDesk we want to make sure we provide the call center solutions our customers need, to enforce the decisions they make.
Clear documentation of responsibilities and measures to ensure data protection
We’ve started our auditing process to make sure we can support our customers with their responsibilities. On top of the SOC3 audit, which was conducted by KPMG, we were also accredited the ISO27001 standard this year. There are some minor changes that we needed to make, but overall, we’re happy with the findings.
Having passed both audits makes us an easy choice as a software vendor. Even if it’s not officially accredited, it’s understood that customers cannot be expected to do a more thorough data security audit of their service providers.
We’ll be signing a GDPR-compliant data handling agreement with all our customers, outlying the responsibilities of both parties. On top of that, we’ll also be providing our customers with all the necessary templates and documents that are required to document the software that they’re using.
In conclusion, the new regulation can bring some benefits for customers, especially those working internationally. Harmonization of the rules can bring cost efficiency in data protection compliance. However, the new regulation will require businesses to take data protection compliance seriously, it has to move away from being something IT deals with, to something the entire company understands.