As many of you will be aware, the EU General Data Protection Regulation (GDPR) will come into force on 25th May 2018, replacing the current Data Protection Act 1998.
TTNC is committed to protecting all information on our systems, and to being transparent about what data we hold and how we use it. We set out below some information about GDPR and privacy about the services we provide.
GDPR is a set of policies designed to safeguard the privacy of EU citizens and has the following fundamental principles:
|Consent||Information Security||Data Minimisation|
Businesses collecting or processing personal information such as telephone numbers, IP Addresses, email, etc. must ensure that they have the clear and specific consent of users.
The onus is on you to ensure that your users know exactly what they are signing up for.
Don’t have that checkbox pre-selected, and implement double opt-in for marketing communication.
The GDPR requires businesses to take necessary measures to ensure a high level of information security and use industry best practices.
Access logs should be maintained for operations carried out on the personal data of EU citizens.
Any data breach must be communicated to impacted users quickly and transparently.
A key theme that runs across all of GDPR is ‘Data Minimisation’.
Businesses should only hold the bare minimum personal information needed to offer your services effectively.
Additionally, personal data should only be maintained for the period necessary and should be deleted when no longer required.
GDPR grants the following rights to EU citizens
- The right to be informed about the type of personal data maintained, why access to that data is required and how it is processed.
- The right of access to the personal data that is held, at no extra cost.
- The right of rectification of inaccuracies in personal information.
- The right to erasure of personal information from business systems, and third-party systems to which this data may have propagated.
- The right to restrict processing of personal data.
- The right to data portability.
- The right to object to further processing of personal data.
- Rights regarding automated decision making.
What is TTNC changing for GDPR?
We have been working on a dedicated GDPR roadmap that places customer consent, information security and data minimisation at the very core of our platform.
Here are the key initiatives and product features and details on how we are preparing to be compliant by 25th May 2018:
Updates to Call Data Records (CDR) processes
Call Logs, Call Data and CDR’s will now be for a period of 90 days only. We will then archive this data for 6 years as per our legal requirements.
SMS Messages and SMS logs
Both Inbound and Outbound SMS logs will be available for 90 days with the content of the messages SMS message being deleted after the first 30 days. We will then archive this data for 6 years as per our legal requirements.
Fax Messages and Fax logs
Inbound and Outbound Fax logs will be available for a period of 90 days only. Inbound fax files will be available to download or view on our platform for 30 days unless otherwise agreed, they are then permanently deleted and cannot be recovered.
Opt-in Call Recording message
Consent is now needed to record calls and a message must be played to the caller telling them that the call is being recorded, why it is being recorded and how the recording will be used. Our Inbound Call Recording service is already GDPR compliant and will only work if you use our default call recording greeting message or replace it with your own. Read more about our Call Recording service.
Call Recording Storage
Call recordings are available to download or play in our platform for 30 days unless otherwise agreed, they are then permanently deleted and cannot be recovered. All storage is within the EU in using PCI-DSS and GDPR compliant Data centres.
Voicemail Recording Storage
Voicemail recordings are available to download or play in our platform for 30 days unless otherwise agreed, they are then permanently deleted and cannot be recovered. All storage is within the EU in using PCI-DSS and GDPR compliant Data centres.
Revised Account Deletion Policy
We are reviewing our internal and external processes to align with the GDPR requirements to make sure that if you decide to close your account with TTNC, your data will be deleted from all TTNC systems, except where other laws require us to keep it.
- Usage data and billing history will be archived for a period of 6 years from account closure.
- All other identifiable data associated with the customer will either be deleted or redacted from our databases.
- Personal data in third-party systems will be deleted.
Permissions Based Access
Our online platform – myTTNC – already enables an "Account Administrator" to set up additional users and set their user permissions and access rights to areas or services in the platform.
We would just like to remind you that you are responsible for ensuring that, once any data is passed to you from within our network, it is handled in a way that is fully compliant with the terms of the GDPR.
You must have in place organisational and technical controls to ensure that you comply with all of your obligations under the GDPR and, if you use any third-party supplier or subcontractor, you must ensure that they are subject to and compliant with their obligations under the GDPR.
As your communications partner, we understand that our compliance with GDPR is critical for our success and we are making all the efforts to ensure your customer data stays safe, while also being mindful about keeping things simple. If you have specific questions about GDPR, please contact us.