From May 2018, the European Union General Data Protection Regulation shall come into effect. From that moment, all personal identifiable data of subjects of the European Union needs to be very well protected. For Expense Management also some principles need to be considered.
To make sure companies do their best to be compliant to the new regulation, the fines under the GDPR are truly impressive; up to 20 million or 4% of the global annual turnover. These fines can be given for insufficient provisions for data protection.
So how does this impact your Telecom Expense Management
As personal identifiable data is gathered and processed for telecom expense management, namely Call Detail Records (CDR's), there are some important principles of the GDPR to consider:
Lawful processing. First of all, you better be sure that you have a legal ground to process telecom data. This could be a service contract or legal obligation. Article 5 of the GDPR clearly states that data can only be processed in line with the original purpose of the data collection “and not further processed in a manner that is incompatible with those purposes”. What follows from the principle of lawful processing is that all personal identifiable data including call detail records can only be stored as long as this is needed.
Data subject should give permission. You are not allowed to process or even just store any personal identifiable data of living individuals without their permission. This includes the processing or storing of call detail records. Permission should be explicit. An opt-out option will not suffice. Under the GDPR consent requires an affirmative action.
Data subjects’ right to be forgotten. If a person demands its personal data or more specifically its telecom data to be removed, you need to be able to process this request without delay and within a month. Meaning you need have the infrastructure in place to receive and process such requests, need to know what kind of data you store and where and even be able to easily locate and delete data of a specific data subject. It is also important to consider what remains of your data set, that you use for reporting, after certain data is torn from it. How much value will your reports have when the underlying data set is incomplete?
Processors should apply to your obligations as well. As the data owner, also known as the data controller, you are responsible for the protection of the personal data even if you contract a supplier to do the actual processing for you.Accountability and liability should be expanded to all partners in the supply chain.Are your sure your processing suppliers are compliant with the GDPR?
Outside the EU
The GDPR applies to any EU citizen, so also impacts companies outside the EU that employ EU citizens that store personal data within or outside the European Union.
The GDPR has special attention for transfers of personal data to countries outside the European Union. All non- European Union countries have been assessed by the European Commission to identify if they have adequate levels of protection to ensure the safety of the personal identifiable data. The assessment is based on existing national legislation and the effective functioning of a supervisory body. For transfers to countries that passed the test no additional authorization is required.
But for countries that are not deemed to ensure adequate levels of protections, like the U.S.A., authorization for transferring personal data to processors in these countries is needed and could be granted via the contractual model clauses.
But be careful, you as the data controller are still responsible that appropriate safeguards are provided. The model clauses state that the data exporter needs to warrant that the processing including the transfer is done in accordance to the law and the data importer will provide sufficient guarantees in the respect of the technical and organization security measures.
Signing model clauses with your TEM provider will therefore not divert your responsibility and liability.
Time for action
The above is merely a selection of things to consider under the GDPR. But in order to avoid the 20 million dollar fines while still enjoying the benefits of telecom expense management in 2018 it is best to start considering them now. Please also check out our blog on How to prepare your TEM for the GDPR.