Con l’introduzione di GDPR (General Data Protection Regulation), il regolamento generale UE sulla protezione dei dati che avrà efficacia tra pochi mesi (dal 25 maggio 2018), è importante che anche i sistemi utilizzati per la comunicazione ricevano lo stesso livello di protezione sui dati degli altri sistemi aziendali.
Una recente ricerca ha confermato uno scarso grado di preparazione di molte imprese all’entrata in vigore del GDPR. In molti casi (37%) manca il giusto livello di consapevolezza sull’obbligo di sottostare ai criteri di conformità del GDPR.
GDPR descrive come devono essere gestiti i dati sensibili e i dati personali degli individui. Quando questo riguarda i “systems of record” di un’organizzazione – cioè i database dei clienti, i sistemi CRM, i sistemi finanziari, ecc. – è relativamente facile rispettare le disposizioni del GDPR per proteggere i diritti dell’individuo. I problemi iniziano quando questi dati personali vengono tenuti o copiati in diversi sistemi di comunicazione meno regolamentati.
Questo problema è stato esasperato dal fatto che oltre ai sistemi di posta elettronica si sono aggiunti una vasta gamma di nuovi strumenti di comunicazione, spesso introdotti nell’organizzazione da parte dei dipendenti senza l’approvazione dell’IT. Questa tendenza verso il “shadow IT” o “bring your own app” mette a rischio i dati aziendali e rende quasi impossibile per le organizzazioni rispettare i loro obblighi di protezione dei dati. Come può un’organizzazione individuare, rettificare o cancellare i dati di un individuo se sono dispersi in una pletora di applicazioni di comunicazione scelte dai dipendenti?LEGGI TRASCRIZIONE
The General Data Protection Regulation or GDPR is a new set of data protection laws set to be introduced on 25th May 2018. It applies to all organisations in the European Union, and all organisations outside the EU that offer goods or services to individuals in the EU.
It aims to standardize data protection rules across the EU, and for most countries goes significantly beyond the previous national laws in place to establish a wider set of rights for individuals about the information organisations hold about them.
GDPR provides individuals with:
- The right to be informed about the information organisations hold about them, and how it is used
- The right of access to that information
- The right to rectification of any incorrect data held
- The right to erasure of the data
- The right to restrict processing, limiting how data an organisation holds may be used
- The right to data portability, allowing individuals to transfer their data from one service to another
- The right to object to how their data is used, and
Rights in relation to automated decision making and profiling
As most organisations already comply with their data protection obligations, the processes and systems they have in place form a solid basis for ensuring GDPR compliance.
However, in recent years, changes in the way business communication takes place have often worked against organisations’ good intentions around data protection. While their systems of record are typically well-structured and enable organisations to comply with their data protection obligations, their internal and external communication systems are a different matter entirely.
GDPR describes how personal data and sensitive personal data is handled. When this remains in an organisation’s systems of record – their customer databases, CRM systems, finance systems , etc – it’s relatively easy to comply with GDPR’s provisions to protect the individual’s rights. The problems start when this personal data is held in, or copied to communication systems that are much less tightly regulated.
This problem has been exacerbated by a move away from email into wide range of new communication tools, often brought into the organisation by employees without IT approval. This trend towards “shadow IT” or “bring your own app” puts company data at risk, and makes it almost impossible for organisations to meet their data protection obligations. How can an organisation possible find, rectify or erase an individual’s data if it is scattered across a mish-mash of employee-chosen communication apps?
If this scenario sounds unlikely to you, think again. In the UK, one of the largest ever fines imposed by the Information Commissioner’s Office related to the breach of a customer database that had not been approved by the organisation’s IT department. And it is widely acknowledged that NHS staff are regularly using WhatsApp to exchange patient data, often crossing the boundary of what constitutes “personal data”. Shadow IT is alive and well in most organisations, whether they know about it or not.
So all the good data protection work on your core enterprise systems could be undone if you fail to consider how personal data is included in your day to day business communication. One of the major changes GDPR brings is significantly increased fines for non-compliance. For example, Pharmacy2U’s fine of 130,000 in 2015 could have been 4.4m under GDPR. Talktalk’s 2016 fine of 400,000 could have been 59m under GDPR. In the new world of GDPR, no company can afford to ignore the risks of shadow IT.
Vmoso from BroadVision helps your meet your data protection obligations by consolidating your business communication in one place, removing the need for shadow IT communication solutions. Instead of messages being scattered across individual users’ email inboxes, or locked into unapproved communication apps like WhatsApp or Line, Vmoso stores all messages in a secure, cloud-based environment, making data discovery, rectification, and erasure straightforward.
Let’s look at an example.
Galaxy Telecom provides phone and broadband services to residential customers.
As Galaxy customer, Sarah is provided with a dedicated Vmoso customer service channel for all her communication.
She has reported a problem to Galaxy customer service, saying she’s unable to access certain websites and is being redirected to other sites.
Lloyd in the customer service team asks for details of which sites Sarah’s trying to access and where she’s ending up instead. During this discussion, Sarah confirms the IP address she’s currently using – this is something that GDPR classes as “personal data”.
As part of this discussion, Lloyd explicitly asks for Sarah’s consent to use the information provided to resolve the issue. A key requirement of GDPR is being able to demonstrate consent to use personal data, and receiving this consent in Vmoso provides a permanent record.
It’s now several months later. Galaxy have recently suffered a security breach of some customer data. They have, as GDPR requires, reported this to the relevant supervisory authority.
At the end of her contract, Sarah chose to switch suppliers so is no longer a Galaxy customer. But she hears about the breach in the news and is concerned that Galaxy may still hold some of her personal data. He asks Galaxy to provide her with all the information they still hold about her , and to delete it all.
Because all Sarah’s interactions with Galaxy have been through a persistent Vmoso customer service channel, this is trivially easy for Galaxy to do. Galaxy are able to provide Sarah with both the records from their core customer database, and a transcript of all the discussions they had with Sarah on Vmoso.
Galaxy’s use of Vmoso enables them to meet their GDPR obligations by providing Sarah with a rapid and comprehensive response.
But the impact of GDPR on communication systems isn’t just limited to customer service. It applies equally to any organisation inside or outside the EU that holds personal data about EU citizens, including cases such as:
HR departments retaining candidate information for recruitment
Charities maintaining lists of donors and volunteers
National and local government departments communicating with citizens.
With the introduction of GDPR just months away, it’s important that the systems you use for communication receive the same level of data protection scrutiny as your systems of record. Vmoso brings together internal and external communication, integrated to your systems of record, helping you meet your data protection obligations.