On Friday 9th June 2017, sipsynergy joined its partner Support Tree, who provide technical IT support and consulting to SMBs, for an event focusing on the implications of GDPR. For our part, we discussed specifically how this new legislation will impact the telecommunications industry and its users. Interestingly, most attendees were not aware of the extent that this new law would have on their communications.
It’s highly likely that you’ve seen (and probably know) the main points that the new GDPR legislation seeks to achieve. And whilst most businesses do the best they can to keep personal and sensitive data protected at all times, the average business is challenged by still operating old or out-dated communications systems that are unable to offer the levels of protection required.
A quick reminder of the key points of GDPR
The General Data Protection Regulation directive repeals the existing Data Protection Act, creating new obligations for compliance, including:
- Expanded territorial reach – More companies will be subject to the GDPR which is not the case now.
- Consent – Personal data must be freely given, specific, informed and unambiguous.
- Accountability and privacy by default – Increased emphasis on the accountability for data controllers to demonstrate data compliance.
- Notification of a data breach – Notification to the Data Protection Authorities has changed.
- Sanctions – Fines of up to 4% of annual worldwide turnover is possible.
- Role of data processors – Direct obligations to implement technical and organisation measures to ensure data protection.
- One stop shop – This legislation will be applicable in all EU states.
- Removal of notification requirement – Notifying or seeking approval from a Data Protection Authority is changing.
- Right to be forgotten One of the most useful changes for the average person managing their data protection risks.
How does this apply to my communications?
As can be seen above, there are very tangible relevancies with the new legislation and the wide range of contact, communication and collaboration options available to businesses today. Keeping both personal and sensitive data safe and secure will be no mean feat – particularly if your communications are still fragmented across multiple platforms. And that is probably quite likely.
Today, we are faced with more ways to communicate than ever before. If you consider that business communications only span voice, video, messaging, email, voicemail, desktop collaboration, just how many variations of these do you have access to? It’s not unusual to have multiple email addresses, phones and other devices, let alone the number of different apps we can use to communicate with. Keeping track of these in real time is difficult enough. Imagine the challenge ahead if you’re asked to remove someone’s details (under GDPR) from a series of communications that happened a few years earlier. What services did you use? Did they lead to other Comms services to be used? Do they now hold sensitive data? Are you sure you have found all the data that needs removing?
Above all, your communications partner must be able to demonstrate and prove that they have all the right policies, processes, practices and technical assets in place to keep your personal and sensitive data secure and tracked to always meet the upcoming GDPR requirements.
Know what you need
To achieve this, here are eight simple yet fundamental things you should look for, and indeed demand, from any prospective communications partner/supplier. In no particular order, these are:
- ISO 27001 is the international standard that describes best practice for an ISMS (information security management system). Achieving this certification demonstrates that your company is following information security best practice, and delivers an independent, expert assessment of whether your data is adequately protected.
- SLA & NDA controlled relationships. Service level agreements and non-disclosure agreements are commonplace these days, but not always effective when third parties are introduced to help underpin business services. Make sure your SLAs and NDAs cover any third-party services.
- Risk assessed and managed user provisioning, with restricted access to Client Service functions.
- Customer support interaction that is security controlled and managed in terms of access and client support requests
- Risk assessed operations including their supply chain.
- Restricted access to client service functions.
- Thorough vetting and security training for all staff.
- Data Centres that are ISO 22301:2012 Business Continuity Certified. This standard provides a best practice framework for managing business continuity in an organisation.
Regardless of whether your own organisation is GDPR compliant, your customers’ details and security are at the forefront of these new directives and it is important you chose a partner with their interests in mind. The new regulation comes into force in May 2018, which might sound a long way off, but it really isn’t. Don’t leave it to the last minute to ensure your compliance.
For more information on how you can meet GDPR compliance with your communications or how sipsynergy ensures information and data compliance, contact us on 020 3355 9680 or go to our website at sipsynergy