The General Data Protection Regulation (GDPR) becomes effective on May 25, 2018. For many companies, this means procedural changes as well as changes to contracts and new product features to comply with various requirements of the GDPR.
NICE inContact is no different and over the past year we have been reviewing our internal processes and all our standard agreements. The changes we have made fall into several categories and impact all our customers in some way. Most require no action on your part.
NICE inContact is a global company with operations in many countries. The locations of some divisions like support and professional services, as well as our network operations centers, means customer data will leave the EU at some time. There are two ways we support these transfers. The first is by participating in the EU-U.S. Privacy Shield (through NICE Ltd.). The second is through the use of standard contractual clauses that are part of our updated data processing agreement. This agreement is available to all our customers. Whether a customer should use a data processing agreement depends on their circumstances. If it is desired, please reach out to our Legal Department at firstname.lastname@example.org.
A key aspect of the GDPR is full disclosure of the processing that is done on data provided by your customers. NICE inContact is a data processor and our customers and partners are data controllers. It is important we process data only under direction of the data controller. This direction comes in several different ways, primarily through the service contract. The service contract identifies the different services that the customer has selected. Each service defines the data that is collected and indicates how it will be processed. Other ways that the data controller can request processing is through work orders or even by entering a support ticket.
A related aspect of data processing is the use of sub-processors, or service providers we use to assist us in providing our services. Some of these sub-processors must have access to customer data, and this means they must be disclosed as part of our data processing agreement. NICE inContact has a sub-processor list available on our support site.
Data Subject Requests
Data subjects can make requests to their data controller for a variety of different actions – like the “right to be forgotten”. Since NICE inContact is not a data controller for our services, these requests come to us from our customers and partners and not directly from the data subject.
We are using our standard work order process to manage these requests. As part of opening a GDPR work order the customer or partner will be asked for information about the requesting data subject, as well as the type of request being made. The individual making the request must be an authorized point of contact for the customer. Once the request is satisfied, the customer will be notified and provided with any results. Note the GDPR allows up to three months (with notification) for these requests to be handled, and we anticipate using much of the allowed time due to the complexity of our services.
There are many aspects of the GDPR that do not receive a lot of attention but can represent fundamental changes in how companies operate. An example of this is data minimization, a principle that states companies should not keep information longer than required for a business purpose. For companies that provide information-based services, like NICE inContact, this means giving our customers much more control over things like data lifecycle. In the past, most customers wanted to store information “forever”. This is starting to change, as companies become more sensitive to privacy concerns.
Our customers and partners will see continued changes and new product features in future releases that will allow them, as data controllers, to more fully specify how they want data processed. NICE inContact is committed to helping you meet all your compliance requirements – including those related to PCI, HIPAA, FedRAMP, and the GDPR – by continuously adapting to customer expectations and different regulations.
If you have any questions about the GDPR and how it relates to your use of our services, please reach out to your account manager or our support organization.