GDPR

Article ID: 95950  

Question
GDPR Compliance info

Answer

About GPR regulation

These new provisions create a unified European framework for personal data protection which until now has been governed by the French Data Protection Act of 6 January 1978 and the EU directive 95/46/CE adopted in 1995 and transposed into French law with Law 2004-801 of 6 August 2004.

These texts established the principles relating to how the personal data of natural persons is collected and processed: consent from the person, purpose prior to collection, data security, transfer guidelines, etc.


Adopted in the late 1970s and 1990s, these texts could not foresee the explosion of personal computing, the internet, social networks, smart devices, cloud computing, and more, which have revealed the limitations of these measures and made it necessary to update the legislation.


Furthermore, transposing the directive into the laws of the various EU member states resulted in divergences in national legislations, which need to be standardised.

Consequently, in 2012 the EU started drafting proposed regulations that would not need transposing and would enable greater standardisation, to replace the directive. It was adopted on 27 April 2016.

 

What is the scope of this regulation?


The GDPR is intended to apply to all processing of personal data, whether automated or manual.


Processing of data is defined as an operation or set of operations carried out using automated or manual processes and applied to personal data or data sets.

E.g. Collection, storage, modification, extraction, viewing, use, communication, destruction, etc.

Personal data comprises all information relating to a natural person and enabling that person to be directly or indirectly identified. E.g. Identity (full name), email address, IP address, telephone number, location data, consumer habits, etc.

Given the extent of these concepts and your e-commerce business, it is highly likely that you process personal data.

Furthermore, the other regulation application criteria relates to processing personal data with a geographical link to the European Union region.


In practical terms, the GDPR will apply when:

  1. The controller or its processor has an establishment located in the European Union region.
  2. The controller or its processor does not have an establishment located in the European Union region but the persons whose data is being processed are located there.


In other words, regardless of whether your company is located in the European Union region or not, this regulation applies to the majority of companies!

 

What does the regulation cover?
How can you comply with it?


The regulation restates or creates obligations imposed on controllers who must ensure compliance with those obligations by implementing various technical and organisational measures that fall under “accountability”.

Lastly, what is new in this regulation is the greater role played by the regulatory authority and the severity of sanctions in the event of the controller’s failure to comply with the provisions..

 

OBLIGATIONS INCUMBENT ON CONTROLLERS

The regulation requires basic principles of processing of personal data and respecting the rights of data subjects.

Article 5 of the GDPR lists the various principles relating to processing of personal data such as processing in a lawful, fair and transparent manner. Personal data must be collected for a set, explicit and legitimate purpose and not reused for a purpose that is incompatible with the intended purpose at the time of collection.

To comply with this obligation you must consider various criteria such as Existance of a link between initial and later purposes of contact data, the nature of the processed data, the relationship between the data subject and controller.

For example in case of the chat data, you might consider establishing a purge schedule (i.e. Weekly purge or even immediate purge after chat completion) with your LiveHelpNow account manager as it may be argued that after chat closure there is no need for the contact data to be archived for later re-use.
In case of ticket/email data, you may consider a longer archive period as it is possible that a contact may need to re-initiate/update the email thread after it is replied to by one of your agents. Your LiveHelpNow accont manager may also assist with establishing purge schedule of the ticket data per your requirements.

 

Appropriate, relevant and limited provision in GDPR means that the controller must collect the data required for the implemented processing purpose.

 Please consider the data you are requiring on pre-chat, ticket submission form or within chat transcript. Only collect the data absolutely needed to be able to process requests from your customers in chat or ticket.

 

Contact data must be stored in a form that enabled the data subject to be identified and for a period not exceeding the time required for the purpose for which the data is processed

 Please consider internal processes to determine how long the chat and email data shoudl be stored within your LiveHelpNow account. Once determined, please contact your LiveHelpNow account manager to establish purge schedule of PI data per your requirements.

Please consider an exception: some situations require that the data be archived. These are “intermediate” archives which comprise “data that preserve their administrative interest for the departments involved.” If your organization internal processes qualify for this exception, you may choose to archive PI data for a longer time.

 

Principles of "lawful" processing of PI data

Article 6 of the GDPR states that processing is only lawful when the person has given their consent for the processing, Processing is required to perform a contract or precontractual measures, Processing is required for a legal obligation to which the controller is subject or for a task carried out in the public interest or in the exercise of official authority vested in the controller, Processing is necessary in order to protect the vital interests of the data subject or of another natural person, Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

 Please consider the data you are requiring on pre-chat, ticket submission form or within chat transcript. Only collect the data absolutely needed to be able to process requests from your customers in chat or ticket.

In order to meet the obligations relating to the rights of data subjects, you must only collect and process their data after informing them through an easily accessible message (e.g. confidentiality policy available online) that is easy to understand, meaning it is written in clear and simple terms.

 Please consider adding information to the pre-chat, ticket submission forms explaining your company use of personal data collected, provide a link to your privacy policy.
TO CONSIDER: You are exempt from this obligation to inform if the data subject already has the information.

Important

 If you receive a request relating to exercising one or more of these rights, you must reply to the data subject as soon as possible, and this must occur within one month of receiving the request. This timeframe may be extended in certain situations but you must inform the data subject of this.

If you do not reply to the data subject, you must inform them within one month of the reason for your refusal and their right to lodge a complaint with the CNIL or seek a judicial remedy.

 

How LiveHelpNow(LivehelpNow, LLC) complies with GDPR regulation

LiveHelpNow was always compliant with Safe Harbour (GDPR predecessor) and now with GDPR. 
We do not use tracking cookies that carry any PI info. 
We also store data per the way you(our client) configured the account. You may select to store customer data for as long as you wish, or not store at all and have the data purged right after chat completion, ticket closure. 
If your requirement is to avoid storing any customer data, please do let us know and we will configure automatic purge for your account.

Additionally absolutely everything in the LiveHelpNow platform is configurable by you(our client), such as what PI data you collect, and what PI data is required and/or optional.

All data is transmitted via encrypted/secure channel and is encrypted at rest.

Account access may be restricted to specific IP addresses so only agents working in your facility are able to access your LiveHelpNow account.

Strict password policy. Account lock out due to incorrect authentication attempts.

We have strict controls in place to notify the account owner within 72 hours if PI data breach occurs.

Need more info? Please contact support

 

 

 


Article Details
Views: 333 Created on: Apr 19, 2018