The General Data Protection Regulation (GDPR) becomes effective on May 25, 2018. For many companies, this means procedural changes as well as changes to contracts and new product features to comply with various requirements of the GDPR.
NICE CXone is no different and over the past year we have been reviewing our internal processes and all our standard agreements. The changes we have made fall into several categories and impact all our customers in some way. Most require no action on your part.
Information Transfer
NICE CXone is a global company with operations in many countries. The locations of some divisions like support and professional services, as well as our network operations centers, means customer data will leave the EU at some time. There are two ways we support these transfers. The first is by participating in the EU-U.S. Privacy Shield (through NICE Ltd.). The second is through the use of standard contractual clauses that are part of our updated data processing agreement. This agreement is available to all our customers. Whether a customer should use a data processing agreement depends on their circumstances. If it is desired, please reach out to our Legal Department at legal@niceincontact.com.
Privacy Policy
Part of our preparation for the GDPR was a complete review of our privacy policy. Many companies have been updating their privacy policies over the last few weeks, and so have we. NICE CXone has divided our privacy policy into a web version, which covers our primary web site, and a product version, which covers our customers’ use of our services. These versions were split in order to better address the privacy concerns of our customers. The product version can be found on our support site. The changes to this document make clear how we treat the privacy of customer information as they use our services.
Data Processing
A key aspect of the GDPR is full disclosure of the processing that is done on data provided by your customers. NICE CXone is a data processor and our customers and partners are data controllers. It is important we process data only under direction of the data controller. This direction comes in several different ways, primarily through the service contract. The service contract identifies the different services that the customer has selected. Each service defines the data that is collected and indicates how it will be processed. Other ways that the data controller can request processing is through work orders or even by entering a support ticket.
A related aspect of data processing is the use of sub-processors, or service providers we use to assist us in providing our services. Some of these sub-processors must have access to customer data, and this means they must be disclosed as part of our data processing agreement. NICE CXone has a sub-processor list available on our support site.
Data Subject Requests
Data subjects can make requests to their data controller for a variety of different actions – like the “right to be forgotten”. Since NICE CXone is not a data controller for our services, these requests come to us from our customers and partners and not directly from the data subject.
We are using our standard work order process to manage these requests. As part of opening a GDPR work order the customer or partner will be asked for information about the requesting data subject, as well as the type of request being made. The individual making the request must be an authorized point of contact for the customer. Once the request is satisfied, the customer will be notified and provided with any results. Note the GDPR allows up to three months (with notification) for these requests to be handled, and we anticipate using much of the allowed time due to the complexity of our services.
Future Direction
There are many aspects of the GDPR that do not receive a lot of attention but can represent fundamental changes in how companies operate. An example of this is data minimization, a principle that states companies should not keep information longer than required for a business purpose. For companies that provide information-based services, like NICE CXone, this means giving our customers much more control over things like data lifecycle. In the past, most customers wanted to store information “forever”. This is starting to change, as companies become more sensitive to privacy concerns.
Our customers and partners will see continued changes and new product features in future releases that will allow them, as data controllers, to more fully specify how they want data processed. NICE CXone is committed to helping you meet all your compliance requirements – including those related to PCI, HIPAA, FedRAMP, and the GDPR – by continuously adapting to customer expectations and different regulations.
If you have any questions about the GDPR and how it relates to your use of our services, please reach out to your account manager or our support organization.
