The EU General Data Protection Regulation (GDPR) is a significant change in data privacy protection. Later this year, GDPR will replace the current UK Data Protection Directive – note the change from Directive to Regulation.
The EU GDPR organisation has published an overview of the key changes here https://www.eugdpr.org/key-changes.html containing guidance on territorial scope, penalties for non-compliance, and conditions for data usage consent.
How does GDPR apply to VoIP?
When considering data security and data protection, companies tend to focus on databases. Here, personal and/or sensitive data is analysed when the computer system is designed. Access to the data is limited to specific roles, and computer systems are tested to verify compliance.
Company telecommunication systems also contain personal data. Each end user’s phone directory contains the name, telephone number and possibly other personal data for each of their contacts. For a healthcare company that interacts with these people as patients, for example, the presence of their information may be sensitive to them.
Desktop telephone login
Where data is in a database, end users are accustomed to following a login procedure before accessing the data via a computer system. Typically, they will log out when leaving their desk, sometimes this is enforced by an automatic timeout. Logging in to a desktop telephone may be less well controlled. The login steps can be forgotten, and in some organisations the telephone may be left logged in overnight – causing a security risk.
So alongside arranging a high-performance service with an international VoIP wholesale provider like https://www.idtexpress.com/, the company also needs to consider login procedures and end-user training.
For public organisations and where there are a large number of individuals, the organisation must appoint a Data Protection Officer, who will ensure compliance with GDPR.
Individuals must explicitly (for example a consent tick box) consent to their data being collected, and the purpose of data use. They must also be able to withdraw that permission, and to have the data removed if there is no legitimate reason for its continued storage.
This places obligations on companies that store personal data
– To be open and transparent when requesting personal data
– To have effective procedures for removing data
– To manage the duplication or copying of data
To comply with GDPR, companies will need to assess their data protection strategy across the board, including VoIP.