From May 2018, the European Union General Data Protection Regulation shall come into effect. From that moment, all personal identifiable data of subjects of the European Union needs to be very well protected. For Expense Management also some principles need to be considered.
To make sure companies do their best to be compliant to the new regulation, the fines under the GDPR are truly impressive; up to 20 million or 4% of the global annual turnover. These fines can be given for insufficient provisions for data protection.
So how does this impact your Telecom Expense Management
As personal identifiable data is gathered and processed for telecom expense management, namely Call Detail Records (CDR's), there are some important principles of the GDPR to consider:
Lawful processing. First of all, you better be sure that you have a legal ground to process telecom data. This could be a service contract or legal obligation. Article 5 of the GDPR clearly states that data can only be processed in line with the original purpose of the data collection “and not further processed in a manner that is incompatible with those purposes”. What follows from the principle of lawful processing is that all personal identifiable data including call detail records can only be stored as long as this is needed.
Data subject should give permission. You are not allowed to process or even just store any personal identifiable data of living individuals without their permission. This includes the processing or storing of call detail records. Permission should be explicit. An opt-out option will not suffice. Under the GDPR consent requires an affirmative action.
Data subjects’ right to be forgotten. If a person demands its personal data or more specifically its telecom data to be removed, you need to be able to process this request without delay and within a month. Meaning you need have the infrastructure in place to receive and process such requests, need to know what kind of data you store and where and even be able to easily locate and delete data of a specific data subject. It is also important to consider what remains of your data set, that you use for reporting, after certain data is torn from it. How much value will your reports have when the underlying data set is incomplete?
Processors should apply to your obligations as well. As the data owner, also known as the data controller, you are responsible for the protection of the personal data even if you contract a supplier to do the actual processing for you.Accountability and liability should be expanded to all partners in the supply chain.Are your sure your processing suppliers are compliant with the GDPR?
Time for action
The above is merely a selection of things to consider under the GDPR. But in order to avoid the 20 million dollar fines while still enjoying the benefits of telecom expense management in 2018 it is best to start considering them now.