As part of your telecom expense management you process multi types of personal identifiable data, such as contact details, call details and human resource information. That GDPR has impact on Telecom Expense Management we already described in our earlier blog GDPR impact on Telecom Expense Management. But how do you prepare yourself?
From May 2018, the European Union General Data Protection Regulation shall enter into force. From that moment, all personal identifiable data of subjects of the European Union needs to be protected and regulated. Failure to comply to the GDPR could result into fines of up to 20 million or 4% of the global annual turnover.
4 key steps
So how to start preparing your telecom expense management for the GDPR? There are 4 key steps:
Know what you process
First of all, it is important to have visibility of all the personal identifiable (PI) data your organisation processes. For example, contact details, call record details or subscription information. You should create a processing overview of the data that includes the type of data, the purpose of the processing and the period you store this data. Furthermore, it should state the legal ground which allows you to process the data. For telecom expense management, this legal ground is most likely the execution of a contract or the consent of the data subject.
Prepare Data Subject Rights
Second, be prepared to handle the two important rights of data subjects. First, they have the right to access their own data. It will be sufficient to give an overview of what data of the subject you process and send them an electronic copy containing this data. Second, data subjects also have the right to be forgotten. When the stored personal data is no longer needed for the defined purpose, data subjects can request to be erased. These two rights mean it is necessary that your TEM solution allows for an export of user specific data and the ability to delete user specific data easily without the burden of a lot of manual work.
Secure that Data
Third, as the data controller you are responsible for the proper security of the personal data. Your TEM tool should be designed by privacy by design offering safeguards from unauthorized access and limiting the amount of data that is stored. Additionally, sufficient technological and procedural security measures should be implemented to fully protect the data’s confidentially and integrity. The easiest way to achieve this requirement is to work with a TEM supplier with a renowned security certification that is audited by a third party. For example, a ISO27001 certification.
Implement First Data Breach Response
Last, it is wise to prepare your organization for the occurrence of a data breach. All data breaches need to registered and depending on the severity of the breach, it needs to be reported to the authorities and the data subjects from which data was leaked. Not reporting data breaches could result in significant fines. Therefore, all data breaches should be reviewed to determine if reporting is required. To avoid panicking when a breach happens, make sure you and your TEM supplier have a process and designated person in place to cope with data breaches.
Support from your TEM provider
Your TEM provider should be able to support you to prepare for the GDPR regulation. They are an expert when it comes processing personal data for TEM. They should be able to give you advise and support on GDPR readiness and compliancy while keeping the value of your TEM reporting.
Feel free to contact us if you wish to know more about how we can help you become compliant to the GDPR or read our white paper on the impact of the data retention guidelines on your TEM. And check out one of our next blogs as we will tell you how we can help you and what we are doing within Ezwim to make sure that our tooling is GDPR compliant.