GDPR Blog 08: What's Cooking?

January 02nd, 2018 9:47am | Call RecordingData ProtectionEUGDPR

GDPR is a big subject that mainstream business across Europe, including the UK, are just starting to see on the radar despite the fact that it was announced in May 2016. Firms now have less than a year to get their houses in order and become compliant with the directive.

The EC published a Data Protection Directive back in 1995 but 1995 was a long time ago. In terms of technology, it was a different age.

Since 1995 ‘the internet has blossomed, social networking has boomed, cloud computing has taken off, and all these changes have fuelled an explosion in data process.

Data protection laws exist because it is believed that, without them, technology will enable or cause data controllers and processors to trample on fundamental rights and freedoms.

Technology is, in other words, the principal problem that data protection law is trying to solve. As such, it is obvious that, as well as being the problem, technology must provide the solution. If entities are storing too much personal data, for example, technology needs to deliver delete, erase, de-duplication and minimisation functionality.

Let’s look at just one example, web site cookies.

An HTTP cookie (also called web cookie, Internet cookie, browser cookie, or simply cookie) is a small piece of data sent from a website and stored on the user's computer by the user's web browser while the user is browsing.

For organisations running a web site, i.e., most, cookies are very useful.

Cookies are designed to be a reliable mechanism for websites to remember stateful information (such as items added in the shopping cart in an online store) or to record the user's browsing activity (including clicking particular buttons, logging in, or recording which pages were visited in the past). They can also be used to remember arbitrary pieces of information that the user previously entered into form fields such as names, addresses, passwords, and credit card numbers.

Currently European law requires that all websites targeting European Union member states gain ‘informed consent’ from users before storing non-essential cookies on their device.

The introduction of the GDPR in May 2018 will however, raise many issues with the way in which the cookie, and the companies that deploy them on their web sites, operate.

Cookies can be personal data. The GDPR explicitly states that online identifiers, even if they are pseudonymous or if they do not directly identify an individual, will be considered personal data if there is potential for an individual to be identified or singled out. This is the basis for cookie consent being about GDPR compliance now, as well as the existing cookie laws.

Implied consent is however no longer going to be compliant. There are several reasons for this, primarily due to the GDPR requiring users to make an ‘affirmative action’ to signal their consent. Simply visiting a site for the first time would not qualify, so loading up landing pages with cookies in the hope people won’t opt out will no longer suffice.

Advice to adjust browser settings also won’t be enough. The GDPR says it must be as easy to withdraw consent as it would be to give it. Telling people to block cookies if they don’t consent would not meet this criterion. This method is difficult, ineffective against non-cookie-based tracking, and doesn’t provide enough granularity of choice.

Neither will ‘By using this site, you accept cookies’ statements be compliant. If there is no genuine and free choice, then there is no valid consent. People who don’t consent can’t suffer detriment, which means web sites must provide some service to those who don’t accept those terms.

Web sites also need a response to Do Not Track browser requests. A DNT:1 signal is a valid browser setting that communicates a visitor’s preference. It could also be interpreted by regulators as an exercise of the right to object to profiling.

Consent will need to be specific to different cookie purposes. Sites that use different types of cookies with different processing purposes will need valid consent mechanisms for each purpose, e.g. granular levels of control with separate consents for tracking and analytics cookies.

Most sites right now would fail on many of these criteria, and with the high risks associated with GDPR non-compliance (fines of up to 4% of annual returns,) most organizations won’t want to fail even once.

The underlying reasons for these issues will no doubt continue to be a source of debate, but one thing is certain: in the new world of the GDPR, where tougher and more penetrative forms of adverse scrutiny are likely, instances of technology failure will be harder to excuse.

How can Oak Innovation help?

Ability to remove recordings for a specific customer phone number

The ability to remove specific customer records is crucial to compliance. Under GDPR regulations, a data subject has the right to have their personal data rectified or forgotten. Oak makes it easy to find and remove specific records.

Secure recordings

All calls recorded on an Oak system are encrypted so they cannot be tampered with. Businesses are better protected from abuse, and in case of customer disagreements. stereo playback ensures perfect clarity as required by legal firms.

Store recordings for as long as you need

Oak systems can store a huge volume of recordings. Calls can be found using a wide range of criteria, for example, date, time, extension, CLI, DDI, telephone number, user defined flags or even customer reference if linked to a CRM system.