OUR EFFORTS COVERED FOUR IMPORTANT AREAS:
- The NVM Platform: New requirements around Data Subject rights are now supported by the NVM platform.
- NVM Third-Party Sub-Processors: Our Sub-Processors, who support our delivery of the NVM Sales and Service Platform, are compliant with the GDPR.
- The NVM Data Processing Agreement (‘DPA’): Our updated DPA is available to all Customers to enable their compliance with the GDPR.
- NVM as Data Controller: Ensuring NVM’s own corporate compliance with the GDPR where we collect, process and retain personal data for our business purposes; for example, personal data of our employees.
NVM’s Approach to the Compliance Activity
The requirements of the GDPR touch on all functional areas of any company.
Our approach to the GDPR included these key initial steps:
- Established the Data Protection Officer (‘DPO’) role within NVM
- Established a GDPR Compliance Program
- Created a GDPR Expert Group delivering against the Program, headed by our DPO
- Reviewed the changes required to our product, alongside our practices, policies and procedures, in support of the four areas detailed above.
Communication remains an important aspect of our GDPR compliance program. At every step, we have communicated with the entire global NVM organisation to ensure all employees:
- Received training on the GDPR
- Are updated as to the status of the NVM Compliance Program
- Are continuously supported by the Expert Group to ensure their ability to respond to GDPR related questions as they arise from our prospects, customers, partners, suppliers and employees
Our Products – NewVoiceMedia’s Platform
NewVoiceMedia is committed to maintaining the highest standards of security in relation to the services we provide to our Customers. Providing transparency to our Customers to ensure they have confidence when using our Platform and other NVM solution offerings, including the Technical and Organisational measures NVM has embedded within our technology and organisational culture, in support of our Customer’s compliance with the GDPR is key.
To provide this transparency, we refreshed our documentation which is available to our Customers through our website and Community Hub. The documentation provides a more in-depth understanding of the Standards for Security (administrative, technical and physical controls), Privacy and Infrastructure that we have implemented and are maintaining across all our regions, including details of the internationally recognised security and privacy related certifications and audits that we have achieved, and which we are committed to maintaining.
These standards are intended to provide the appropriate technical and security measures to ensure the data of our Customers, including personal data which is processed in the provision of our services, is secure at every stage of the processing.
Support of Data Subject Rights
The GDPR brings with it refreshed rights for data subjects. For our Customers, the Right to be Forgotten, is a key right that is required to be supported by the NVM Platform and its services and solutions.
Call Recordings and associated Metadata
The call recordings and associated metadata including call recording transcriptions, stored in NVM databases, that is linked to an individual can be removed using new controls that are available within the administrative console for our Customers’ NVM Administrators.
Data Compliance Administration
New administration pages on the NVM Platform’s home page (administrative web-based portal) will allow an individual’s personal data stored in the NVM data stores to be forgotten. Personal data includes phone numbers (Calling Line IDs (‘CLIDs’) or Automatic Number Identification (‘ANI’)) as well as handles for non-voice interactions, such as email addresses, Twitter handles, etc. By forgetting (erasing) these values, NVM will replace the personal data with an anonymised value that cannot be traced back to the data subject but preserves the related data in order to ensure the data integrity needed for statistics and other data relevant to the operation of the contact center. Future NVM releases will include additional capabilities for the management of personal data processed by NVM.
NVM’s Platform does not control and will not remove or anonymise, personal data stored outside the NVM Platform such as Salesforce, other CRM systems, or other products that utilise the NVM APIs for integration. For more information, please refer to each software vendor’s documentation and resources on GDPR and their support on Data Subject Requests.
NVM components that process data subject identifiers have undergone architectural evaluation and updates and are enforcing the minimum retention periods (generally 30 days or less) necessary to provide reliable service except where contractually obligated to retain data for longer periods of time.
Privacy By Design
NVM software development practices have adopted a Privacy by Design policy for new software and has been refactoring existing products to apply and better support Privacy by Design principles.
NVM Data Processing Agreement
To enable an NVM Customer to operate in a GDPR-compliant manner, NVM has a DPA that can be added to their existing NVM commercial agreement through a simple process.
NVM engages certain third party companies (‘Sub-Processors’) in the provision of our services. For those Sub-Processors whose processing activities may include the processing of personal data in the provisioning of their services, a list of those Sub-Processors, can be found here. All NVM Customers have the option to subscribe to NVM’s notification service to receive alerts of any proposed new or replacement Sub-Processor (via this link).
NVM has entered into DPAs with each of its Sub-Processors which contain data protection and data security obligations as well as the technical and organizational security measures, appropriate to their processing activities. These DPAs incorporate the Standard Contractual Clauses in the form set out in the European Commissioner’s Decision 2010/87/EU of 5 February 2010 (link) which apply to the processing of any personal data by a Sub-Processor which takes place in any country outside the European Economic Area (‘EEA’).
In addition, each of NVM’s sales contracting entities utilizes other NVM group companies in the processing of customer data. NVM has executed an Intra Group Personal Data Transfer Agreement (‘IGA’), between each of its group companies (including its Parent Company, Vonage Holdings Corp.) which deals with the global transfer of personal data that it is required to make in the ordinary course of its business and in the provision of the services to our Customers. The IGA incorporates the Standard Contractual Clauses in the form set out in the European Commissioner’s Decision 2004/915/EC of 27 December 2004 amending decision 2001/497/EC of 15 June 2001 (for “controller to controller” transfers) and Decision 2010/87/EU of 5 February 2010 (for “controller to processor” transfers) and deals with the global transfer of personal data in accordance with the applicable data privacy laws.