As CEO at iovox, I know that the new General Data Protection Regulation (“GDPR”) is an area of focus, concern and a little confusion across a range of industries. No doubt you’ve heard about it and certainly with data privacy having been in the news more recently due to Facebook, we thought a plain-spoken overview of these new rules might be refreshing for you. I can assure you that iovox has been, and always will be, advocates for data privacy but we wanted to set out how iovox is ready for GDPR. We hope you find this post useful as you evaluate GDPR and its wider implications.
Before we dive into the acronym soup of data privacy, we think it’s important that you understand our business, what we do, and how we generate income.
At iovox, we use phone data to help customers make better decisions about their business or to be more organized and productive. We make money from services we sell to customers. Importantly, we have never sold customer data and never will. Even if you use the free version of our service we will never sell your data or use it for marketing purposes to expose you to advertising from third parties.
If you are a customer of ours, we’ve always believed your data is your data. Who you share it with and how you use it is entirely up to you.
Now, let’s talk about the new data privacy laws which are being enacted on May 25, 2018 and what iovox has done to ensure compliance. The regulations are complex and made even more challenging with the uncertainty of Brexit, however, we have extensive expertise complying with complex regulations and are committed to making GDPR understandable for our customers.
In a nutshell, GDPR makes certain that your data belongs to you. Any piece of data which could be used to identify you as an individual has to be identified and managed very carefully by the company holding it for you. This is no problem for us, it’s the way we have always done business.
Background on the General Data Protection Regulation (GDPR) GDPR is a new law that is designed to give individuals based in the European Union (“EU”) control over their personal data. Although the law originated in the EU the implications stretch beyond those borders and impact companies as it relates to where and how EU personal data is stored. The regulations also create new rights for individuals based in the EU when it comes to how their data is handled, among many other things.
What is “Personal Data”? If you haven’t already, you’ll be hearing the phrase Personal Data (“PD”) come up quite a bit. PD is the foundation of the GDPR and it means “any information related to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly.” In short, PD is any piece of information that can be used to identify you as an individual.
Practically speaking, there are a variety of data elements that, either alone or when combined, can be used to determine a person’s identity. Those things include “direct identifiers” and “indirect identifiers” such as your name, email address, social media handle, telephone number, driver’s license number, passport number, date of birth, gender and so on. This data is called PD and under GDPR it belongs to you and you have new rights that you didn’t have previously. Before we get into those rights, it’s important to understand a few more important definitions.
Data Processors and Data Controllers As you learn more about GDPR, you will also hear these two terms, data controller and data processor, mentioned quite often. These are important terms and here’s a simple definition and a translation of what they mean in terms of how iovox interacts with you as your service provider.
A data controller is the person or company that decides what is done with data. They effectively control the data, handing it to a processor to use for whatever purpose the data controller intends. In iovox’s case, the person or company that logs calls in our analytics platform or our mobile app is a data controller. The only time iovox is a data controller is when we market our services to you.
A data processor is the recipient of the data entered into its systems by the data controller. They do what the data controller has instructed them to do. With iovox, when you make calls through our platform or take notes in our app on a call you just completed or push those same notes into your company’s CRM system, we are a data processor of your information and act on it as directed by you based on the services you’ve signed up for.
Rights and Obligations under the GDPR Now that we’ve established our respective roles as it relates to iovox services (you are the controller, we are the processor, unless we’re marketing to you), let’s talk about the new rights of individuals based in the EU.
Under GDPR, individuals in the EU have the right in certain circumstances to be informed about, to access, to rectify and to move the PD a data controller is processing about them. In simple terms, these rights to be informed empowers individuals to ask data controllers what information they have relating to that individual, why they have it, how long have they had it, what they intend to do with it, and whether they transfer it outside the EU.
If you were to find out that a company has incorrect information about you, you have a right to contact the company and have them make necessary corrections immediately. You can also request a digital copy of any data held about you and companies are required to provide this within a month of receiving the request (see How would I request my information from a company? Below). Portability rights are designed to enable you to take your data from one controller to another.
That’s not all. Finally, you have the right to object to and restrict the handling of your personal data, and the right to have it erased (to be ‘forgotten’). This means that you can object to certain uses of your data (e.g., if a company as part of their terms sells your information to advertisers). The erasure right gives you the ability to ask a company to delete all your PD provided there’s no “compelling reason” for the data controller to continue storing or processing that data for its original intended purpose.
How would I request my information from a company? The GDPR refers to something called a Subject Access Request (“SAR”) which is a formal notice that you, as an individual, would initiate with a data controller. Once a SAR is submitted, the company has thirty days to respond to the request. While requesting these reports are generally free, companies may charge reasonable fees for unfounded or excessive requests.
What are the GDPR requirements for iovox? In the limited case of our role as a data controller when doing marketing, among other things, GDPR requires that iovox:
- Be Clear and Simple – this is an obligation for us to make our descriptions and policies easy to understand so there’s little or no confusion.
- Explain Data Retention – We have an obligation to inform you of how long we intend to keep data in our systems. This is also covered in our Terms and Conditions.
- Make Consent Easy – we need to take extra measures to make sure when you give us consent (or choose to revoke consent based on your rights) that it is easy to do.
To reiterate, at iovox we’ve always been focused on your rights to data privacy and protection and since we don’t rely on your data for advertising income, that makes things slightly easier for us since we have no reason to collect or process personal information beyond what is required for our services to work for our customers. In GDPR-speak, this is the “intended purpose” of our use of your data.
If we have marketed our services to you, and you have opted in to receive information from us, we will have a record of those interactions. Consistent with GDPR you will have the ability to be removed from any specific marketing activity, similar to how we do business today in compliance with other email and phone-based marketing rules in America and elsewhere.
If you are also a customer, we will need the ability to retain your business information for billing purposes and technical support. These would qualify under the “intended purpose” provisions of GDPR.
As it relates to our core service offerings, there are two areas where a customer’s PD would be involved. First, for our traditional inbound call tracking service, we use phone data generated over our network to help our customers make decisions about the performance of their business. Second, for our free services, like our mobile app, we log phone calls and any notes or comments made by our customers into a system that allows that data to be retrieved at a later date or integrated into a third-party CRM system.
As a group of companies, we are compliant with the data transfer requirements of GDPR as well through intragroup data transfer agreements between our parent company and our subsidiaries. These agreements include the model clauses which have been approved by the EU for transfers of data outside the EU.
Again, as a reminder, we have never sold customer data and never will.
Does iovox have a Data Protection Officer (“DPO”)? Under the new rules, iovox is not required to have a DPO, however, with our internal team and legal advisors, we have thoroughly analysed the requirements under the GDPR and have put in place a dedicated internal team to make sure we continue to uphold the standards of privacy protection we have taken since Belinda and I started our company in 2007.
What’s Next? We hope this overview has been useful for you. For those of you that want to go deeper on the topic of the GDPR, we encourage you to review this source document by the Information Commissioner’s Office (“ICO”).
–Ryan Gallagher, Co-founder and CEO of iovox