Three GDPR questions you should ask your UC supplier

(Image credit: Image Credit: Docstockmedia / Shutterstock)

From interactive whiteboards to smart documents, the workplace is more connected than ever before, and businesses continue introducing a host of new technologies to drive collaboration and productivity across fast-growing, often global workforces. This has led to a significant uptake in Unified Communication (UC) solutions, which now leverage a myriad of digital avenues, to intelligently connect employees and improve workplace experiences through quick and easy interactions.

Yet, with larger and more digital workforces inevitably comes larger pools of user data, which must be handled and stored appropriately across a range of UCaaS systems and within the constraints of the recently-enforced General Data Protection Regulation (GDPR). Designed to give people more control over how their data is both used and stored by businesses, GDPR has forced companies to upgrade their UC systems to meet its requirements and offer users maximum security when communicating through unified, cloud-based channels.

As a result, UC suppliers have faced pressures to ensure they not only take the necessary steps to ensure their business meets the demands of GDPR, but also take measures to reassure their customers that both their company and employee data is fully protected when in the hands of their service.

Nine months on from its enforcement, many are still grappling with its requirements in an effort to achieve full GDPR compliance and customers remain unsure of exactly how their provider plans to keep their data secure, as the workplace continues to digitise. There are now however, a number of vital questions customers can raise to better understand their provider’s GDPR status.

How is my company data processed and managed in the post-GDPR UC market?

It is important to firstly understand the exact role your UC supplier will take when it comes to handling client personal data. According to the GDPR, the ‘controller’ is identified as the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. For many UC suppliers however, they will often not be the data controller of its customer’s personal information, except when they determine the purpose (i.e. such as billing or troubleshooting).

The regulation also defines the ‘processor’ as a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. Therefore, when a supplier provides UC services and processes personal information on behalf of the client, the UC provider will then act as the data processor. 

When processing data in this way, UC providers must adhere to the regulation’s various accountability rules: lawful, secure and transparent processing, legitimate collection purposes with adequate necessity, accurate and up to date information (with inaccurate data to be rectified immediately) and kept in a form which permits identification of data subjects for no longer than is necessary. Checking with UC suppliers to ensure their processes meet these principles will help users to keep their data secure.

What provisions have been made to ensure user information is protected?

UC suppliers that successfully adhere to GDPR will have a significant number of provisions to ensure they are fully compliant and able to protect their user’s personal data. For example, providers may undertake data mapping and cartography procedures to understand both ingoing and outgoing flows of customer data and allow them to learn exactly what data is used throughout their platform and where.

Staff and company affiliates also have an obligation to acknowledge the change in regulations. Training of all employees can be carried out to ensure they fully understand and apply the GDPR

principles correctly. Signed agreement between companies and their affiliates can also work to ensure the respect of the GDPR principles amongst a business’s partners and associates. Additionally, UC suppliers should also identify each of their sub-processors and complete the signature of a Data Processing agreement with each of them, making further assurances with the signature of model clauses with any sub-processors not located in an adequate country.

Keeping customers fully up to date with any changes to data processes can also help to increase confidence in the security of their UC supplier. Taking time to inform customers of any intended changes concerning the addition or replacement of other processors and providing the opportunity to object to such changes can drive customer trust and transparency - two fundamental traits GDPR looks to improve. What’s more, implementing data security breach processes and storage limitations, whilst notifying clients without undue delay after becoming aware of a personal data breach can help to resolve issues faster and instil greater trust in their supplier’s efforts to rectify any issues which occur.

What are the business risks should a UC supplier not meet GDPR regulations?

Much like any other company operating under the legislation of GDPR, any UC supplier which does not adhere to its regulations could face the imposition of substantial administrative fines by the data protection authority. These fines can total up to €20,000,000 or in the case of an undertaking, up to four per cent of the total worldwide annual turnover of the preceding financial year - whichever is higher. However, non-compliant suppliers not only risk incurring cost damages, but can also suffer a great loss of reputation amongst customers and industry players. Should a UC supplier’s status fall through failure to comply, this can of course have a significant impact on the future success of the company and its competitive place within the wider market.

Should a person or company witness a breach of their personal data at the hands of their UC supplier, they could be left open to potential risks of unwanted holders or misuse of their staff’s information. In the event of this, any person who has suffered material or non-material damage as a result of an infringement of the GDPR has the right to receive compensation from the controller or processor for the damages suffered.

UC suppliers must also be prepared to offer support and guidance to their customers when GDPR queries are raised. Establishing a dedicated compliance department which works solely on privacy issues and client requirements and creating a compliance and ethics website to provide useful documentation can help to alleviate risk and give customers a better insight into the work being carried out to safeguard their personal data.

As demands for smarter and more flexible working increase, UC solutions will inevitably continue to play a huge part in business growth across the European market. GDPR is therefore set to continue impacting the region’s UC providers for years to come and the need for clarity amongst consumers about the safety of their personal data is growing stronger every day. Looking ahead to a more digital and unified communications landscape, it is now the responsibility of suppliers to ensure that their systems are designed to meet the requirements of GDPR, in order to remain compliant and safeguard customer data both now and in the future.

Florence Mas Pastor, Chief Legal Officer, Arkadin
Image Credit: Docstockmedia / Shutterstock