Voice Assistants and GDPR: What You Need to Know

With the General Data Protection Regulation (GDPR) kicking in today, May 25, companies that do business in the EU are rushing to button up their data privacy procedures. The regulations prescribed by GDPR can seem pretty complex and difficult to comply with – especially for companies that process personal information within voice recordings. John Milton, General Counsel at Interactions, LLC explains GDPR and compliance in the voice arena – an often overlooked aspect of preparing for GDPR

With the General Data Protection Regulation (GDPR) being implemented from May 25, companies that do business in the EU are rushing to button up their data privacy procedures. As you probably know by now, GDPR contains a new set of rules designed to give EU citizens more control over how their personal data is transmitted, stored and processed.

GDPR replaces the 1995 EU Data Protection Directive (the “Directive”) but unlike the Directive, GDPR’s reach expands beyond the borders of the EU. GDPR applies to any organization operating within the EU, as well as any organizations outside of the EU which offer goods or services to customers or businesses in the EU. With heavy fines up to €20 million or 4 percent of global revenue for non-compliance or data breaches, GDPR is something that no company can afford to ignore.

Understanding GDPR

Ultimately, GDPR puts more authority and control over personal data in the hands of the individual, giving them the power to control exactly what personal information companies are collecting, and request the erasure of any personal information companies have on file. The definition of personal data is very broad under GDPR. Personal Data includes any information that relates to “identified or identifiable” persons.

An “identifiable person” is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. The regulations prescribed by GDPR can seem pretty complex and difficult to comply with – especially for companies that process personal information within voice recordings.

“Data Controllers” and “Data Processors”

Like the EU Data Protection Directive, GDPR contains the concepts of “data controllers” and “data processors”. It defines a data controller as a person, group, or business that “determines the purposes and means of the processing of personal data”. Data processors, on the other hand, are entities that process personal data solely on behalf of, and as directed by, data controllers.

For example, my company, Interactions, creates Intelligent Virtual Assistants (IVAs) that automate customer care for global companies like Hyatt and Humana, across multiple service channels – phone, SMS, webchat, social media, and others. Under GDPR, Hyatt and Humana are data controllers, because they collect the personal information of their customers. Interactions, as a service provider to these companies, is a data processor – we process information to determine how our clients can best respond to their customers’ inquiries. And, because we’re working with a lot of voice data from phone interactions, the role of the processor becomes even more challenging under GDPR.

GDPR and Voice Recordings

As a customer care company, a large portion of the information Interactions processes continues to be voice recordings that are collected via phone calls with customers. Unlike text-based information – IP addresses, first and last names, emails, etc. – voice presents some unique challenges when it comes to being GDPR compliant. Sorting through call recordings and finding specific pieces of conversation that include the customer’s personal information requires unique technology that can search through millions of call logs to find personal data.

Under GDPR, a customer in the EU can contact one of our clients requesting the erasure of their data from a phone call that happened a month ago. We handle millions of voice transactions a day. That means, in order to find this specific person’s transaction from a month ago, we need to sift through hundreds of thousands of hours of recordings, and it’s not as simple as searching through textual data.

Preparing for GDPR

Interactions has been preparing for GDPR for over a year now. We have mapped information flows, identified processes and systems that collect personal data and studied GDPR, so we can fully understand our obligations as a data processor. One way to ensure compliance is to develop solutions that make it easier to sift through huge amounts of data. To that end, Interactions has developed a GDPR API that our clients can use to submit requests from their EU customers regarding their personal data. This solution supports both the “Right to Access” (receive a report on all stored personal data in electronic format), and the “Right to be Forgotten” (erasure of all personal data) – providing either a confirmation of the erasure so the client will have a record of the deletion to show their customer, or a personal data report.

As companies prepare for GDPR, they should think about utilizing the services of legal and technical data privacy experts who can help them understand how their services are affected by GDPR and what they need to do to ensure compliance. In addition to ensuring that your products and services are GDPR compliant, companies should also consider implementing internal training for all employees affected by the law – everyone from the sales and marketing teams to the HR and operations departments.

As challenging as it has been for companies to go through the process of preparing for GDPR, at the end of the day, this is a step in the right direction. GDPR is changing the way companies view and protect the personal information of their customers. In addition to helping ensure the integrity of personal data, GDPR compliance also presents the opportunity to improve the trust relationship between companies and their customers. To the extent that both consumers and businesses feel their information is secure, they will feel more comfortable giving GDPR compliant companies their business.