We Implemented GDPR and Solidified a Promise of Data Protection

By Carl Blume on April 18, 2018
read

If you are a company that has customers in the EU, you have not only heard about GDPR, but at this point you are freaking out about it. We’ve been there for the past couple months, but are finally over the worst of it.

In fact, as of two days ago, 60% of organizations are still unprepared for GDPR. Even more concerning, despite the constant media stream about GDPR, 25% of organizations have little or no knowledge of it.

It is an important regulation and a large disruption to the legal landscape that can have serious repercussions, including fines of € 20 million or up to 4% of annual global revenue. Many organizations are not prioritizing it, even though they should. Why are so few properly prepared? The short answer is, it’s a lot of work. Read on to find out how we are approaching it.

What is GDPR?

General Data Protection Regulation (GDPR) is a comprehensive, new set of regulations regarding data protection put forth by the European Union to mandate data protection and provide stronger rights to citizens in the EU. It is the first piece of legislation related to data protection since the Data Protection Act 1998, and takes effect May 25, 2018. GDPR requires businesses follow regulations regarding the management, storage, and sharing of data. These regulations are a big deviation from the past twenty years of data protection regulations, and aim to provide citizens of the EU with more control of their data.

What Does GDPR Mean For Us?

We have many customers that are located in the EU. Additionally, we have customers outside of the EU that have end-users located in the EU. Thus, GDPR applies to us and is something we must comply with.

We are, by GDPR standards, both a data controller (for customer data) and a data processor (for our customer’s end-user data).

We are responsible for controlling data from our customers. This includes business information, payment history (not credit card information), and personal information. We collect and store this data from our customers for providing our service, which makes us a controller by GDPR standards.

Additionally, we are responsible for processing data on behalf of our customers. This data is collected or sent to us from their end-users. Our customers are the data controller, while we process their end-users data. We measure and manage the performance of real-time communications, which makes us a processor by GDPR standards. We specifically process the data of our customers end-users in their video or audio calls.

GDPR regards controllers and processors as separate entities that must meet separate regulations. As such, we are required to comply with both the rules for controllers and processors.

From the inception of callstats.io, we have followed a lot of best practices. We have consistently minimized the personal data we collect from customers, and we ensure customers have always been able to control their data. For example, customers have complete control over conference identifiers and customer names in our REST API and client API. Additionally, we have guidelines in place to prevent employees without proper permissions from accessing personal customer data. These best practices made GDPR compliance a lot easier than it could have been.

However, we still faced some issues. For example, customers sometimes send user and conference identifiers that contains personal data (e.g., setting the conference ID to a personal phone number), which is not particularly responsible. Behind the scenes, we address this with industry-standard protection measures, including encryption and pseudonymization of potential personal data. As a result, we are able to achieve compliance without affecting customer experience. We addressed several similar issues to ensure we were properly following the GDPR standards.

There is a significant unknown and ambiguity that comes along with GDPR. Specifically, how will the courts handle these cases, what should we expect from the government as far as enforcement is concerned, and how will businesses we work with address compliance issues? In order to address that as effectively as possible, we worked to meet a singular goal.

callstats.io is committed to protecting all the data we handle.

How Have We Changed?

We are responsible for protecting all customer and end-user data we control and process. In order to accomplish this, we have made several enhancements to our system, both internally and externally. We focused on accomplishing this in the most customer-friendly way possible, and with as few changes that alter customer workflow as was feasible. In order to explain all of these updates, including what has changed, how things changed, and what it means for our customers, we will be discussing these in several upcoming blog posts. Furthermore, we will be notifying our customers via emails over the forthcoming weeks.

Lastly, our updated privacy policy will be available in the coming weeks, which will be a living document for how we approach data collection, control, processing, and protection.

What Do We Recommend?

The number of organizations not ready for GDPR is pretty astonishing, especially considering the potential for substantial fines. If we could go back in time, we would say start early, and be thorough. In fact, following general best practices from the beginning can make the GDPR transition a lot easier.

Now, however, is the time to buckle down and get GDPR compliance under control - even if you have not started. This is an important set of regulations that could have a severe impact on your organization’s future and the future of your customers. Take it seriously.

If you have any questions about how we are addressing GDPR or data protection, please contact us.


Tags: callstats.io, Recruiting, Security, Engineering