The preparations cover four important areas
- The NVM Platform: Reviewing the new requirements around Data Subject rights that needed to be supported by platform. We can confirm that NewVoiceMedia’s Platform will be compliant with the GDPR by the enforcement date.
- NVM Third Party Sub-Processors: Ensuring the Sub-Processors who support our delivery of the NVM Platform are compliant with the GDPR by the enforcement date.
- The NVM Data Processing Agreement (DPA): Making our updated DPA available to all our Customers in support of their own compliance with the GDPR.
- NVM as Data Controller: Ensuring NVM’s own corporate compliance with the GDPR where we collect, process and retain personal data for our business purposes; for example, of our employees.
NVM’s Approach to the Compliance Activity
The requirements of the GDPR touch on all functional areas of any company.
Our approach to the GDPR included these key initial steps:
- Establishing the Data Protection Officer (DPO) role within NVM
- Creating a GDPR Expert Group delivering against the Program – headed by NVM’s DPO
- Establishing a GDPR Compliance Program
- Reviewing the changes required to our product, alongside our practices, policies and procedures, in support of the three areas detailed above.
Communication remains an important aspect of our GDPR compliance program. At every step, we have communicated with the entire global NVM organisation to ensure all employees:
- Receive training on the GDPR
- Are updated regarding the status of the NVM Compliance Program
- Are supported by the Expert Group to ensure their ability to respond to GDPR related questions as they arise from our prospects, customers, partners, suppliers and employees
Our Products – NewVoiceMedia’s Platform
NewVoiceMedia is committed to maintaining the highest standards of security in relation to the services we provide to our Customers. Providing transparency to our Customers to ensure they have confidence when using our Platform and other NVM solution offerings, including the Technical and Organisational measures NVM has embedded within our technology and organisational culture, in support of our Customer’s compliance with the GDPR is key.
To provide this transparency, we have refreshed our documentation which we make available to our Customers through our website and Community Hub. The documentation provides a more in depth understanding of the Standards for Security (administrative, technical and physical controls), Privacy and Infrastructure that we have implemented and maintain across all our regions, including details of the internationally recognised security and privacy related certifications and audits that we have achieved, and which we are committed to maintaining.
These standards are intended to provide the appropriate technical and security measures to ensure the data of our Customers, including personal data which is processed in the provision of our services, is secure at every stage of the processing.
Support of Data Subject Rights
The GDPR brings with it refreshed rights for data subjects. For our Customers, the Right to be Forgotten, is a key right that is required to be supported by the NVM Platform and its services and solutions.
Call Recordings and associated Metadata
The call recordings and associated metadata including call recording transcriptions, stored in NVM databases, that is linked to an individual can be removed using new controls that will be available within the administrative console for our Customers’ NVM Administrators.
Data Compliance Administration
New administration pages on the NVM Platform’s home page (administrative web-based portal) will allow an individual’s personal data stored in the NVM application, to be forgotten. Personal data includes phone numbers (Calling Line IDs, CLIDs or Automatic Number Identification (ANI)) as well as handles for non-voice interactions, such as email addresses, Twitter handles, etc. By forgetting (erasing) these values, NVM will replace the personal data with an anonymised value that cannot be traced back to the data subject but preserves the related data in order to ensure the data integrity needed for statistics and other data relevant to the operation of the contact center. Future NVM releases will include additional capabilities for the management of personal data processed by NVM.
NVM’s Platform does not control and will not remove or anonymise, personal data stored outside the NVM Platform such as Salesforce, other CRM systems, or other products that utilise the NVM APIs for integration. For more information, please refer to each software vendor’s documentation and resources on GDPR and their support on Subject Data Requests.
NVM components that process data subject identifiers have undergone architectural evaluation and updates and are enforcing the minimum retention periods (generally 30 days or less) necessary to provide reliable service except where contractually obligated to retain data for longer periods of time.
Privacy By Design
NVM software development practices have adopted a Privacy By Design policy for new software and has been refactoring existing products to apply and better support Privacy by Design principles.
NVM Data Processing Agreement
In September 2017, we updated our standard customer contractual documentation in early preparation for the GDPR. A new Data Processing Agreement (DPA) compliant with the GDPR was introduced. This has enabled those Customers who already have this DPA in place, to continue their subscription through the Enforcement Date without the need for their contract to be updated. For all NVM Customers that have subscribed to NVM’s Platform before this time, we have communicated with each Customer, regardless of their region, and provided them with a simple process to add our GDPR compliant DPA to their existing agreement, which will enable them to continue to operate in a GDPR compliant manner, under their existing agreement with us.
NVM engages certain third party companies (“Sub-Processors”) in the provision of our services. For those Sub-Processors whose processing activities may include the processing of personal data in the provision of their services, a list of those Sub-Processors, can be found here. All NVM Customers have the option to subscribe to NVM’s notification service to receive alerts of any proposed new or replacement Sub-Processor (link).
NVM has entered into written agreements in the form of a Data Processing Agreement (DPA) with each of its Sub-Processors which contain data protection and data security obligations as well as the technical and organisational security measures, appropriate to their processing activities. These DPAs incorporate the Standard Contractual Clauses in the form set out in the European Commissioner’s Decision 2010/87/EU of 5 February 2010 (link) which apply to the processing of any personal data by a Sub-Processor which takes place in any country outside the European Economic Area (EEA).
In addition, each of NVM’s sales contracting entities utilises other NVM group companies in the processing of Customer data. NVM has executed an Intra Group Personal Data Transfer Agreement (IGA), between each of its group companies which deals with the global transfer of personal data that we are required to make in the ordinary course of our business and in the provision of the services to our Customers. The IGA incorporates the Standard Contractual clauses in the form set out in the European Commissioner’s Decision 2004/915/EC of 27 December 2004 amending decision 2001/497/EC of 15 June 2001 (for “controller to controller” transfers) and Decision 2010/87/EU of 5 February 2010 (for “controller to processor” transfers) and deals with the global transfer of personal data in accordance with the applicable data privacy laws. A copy of the IGA can be provided on request from a Prospect or Customer, subject to applicable confidentiality terms being in place.