GDPR and call tracking
Written by Harry Bott
The business world is working itself into a froth about the implementation of GDPR (General Data Protection Regulation) by 25th May. As the Information Commissioner, Elizabeth Denham, said in her April update: “25th May is not the end. It is the beginning.” So, while people are getting concerned about 25th May and treating it as the end of the world is about to arrive, the reality may be somewhat different.
If you have not yet considered your call tracking numbers in your GDPR data audits, then these should definitely be covered. In this blog we look at a few of the issues you will need to address with your call tracking supplier.
GDPR and third party data processors
One of the key challenges with GDPR is how to deal with third party suppliers who hold customer data on your behalf. The principle of data controller and processor is at the heart of this issue. As a data controller for your customer data, you will ultimately be held responsible for how your data processors manage your customer data. Tracking numbers contain customer data. Therefore your call tracking supplier has a relationship with you as a data processor of your data.
At the very least you should ask your call tracking supplier:
- What customer data they hold on your behalf
- How they process this data
- What security processes – both internal and external – they have in place when they hold this data
- How long do they hold this data for
Call tracking providers based outside the UK / Europe
If your call tracking is supplied by a non-UK / European-based supplier, it’s critical that you understand their data security levels, and how and where they process your data.
The EU, especially under GDPR, does not believe that non-EU countries protect customer data as strongly as it should be (especially in the US). To create a workaround for US companies to be compliant with transferring EU data to and from the US, they created the Privacy Shield agreement. All non-European call tracking suppliers that are not Privacy Shield (or equivalent) compliant will not be compliant to process your customer data.
If using a non-European supplier make sure you are satisfied that they are suitably compliant with processing your data outside of the EU. At Mediahawk, we’ve spent months changing our systems in preparation for the implementation of GDPR.
Our GDPR positioning statement can be read here.
This is well worth reading because it gives you a good understanding of what customer data is covered by a call tracking companies, such as Mediahawk.
Overall, GDPR has been a consultant’s dream. However, the key to ensuring you are on the correct GDPR journey can be found on the Information Commissioners website and you should follow their advice and guidance. The last words should go to the Information Commissioner: “We want you to feel prepared, equipped and excited about the GDPR. I know many of you do. For those that still feel there is work to be done – and there are many of those too – I want to reassure you that there is no deadline. 25th May is not the end. It is the beginning.”