What Does GDPR Mean For Us?
We have many customers that are located in the EU. Additionally, we have customers outside of the EU that have end-users located in the EU. Thus, GDPR applies to us and is something we must comply with.
We are, by GDPR standards, both a data controller (for customer data) and a data processor (for our customer’s end-user data).
We are responsible for controlling data from our customers. This includes business information, payment history (not credit card information), and personal information. We collect and store this data from our customers for providing our service, which makes us a controller by GDPR standards.
Additionally, we are responsible for processing data on behalf of our customers. This data is collected or sent to us from their end-users. Our customers are the data controller, while we process their end-users data. We measure and manage the performance of real-time communications, which makes us a processor by GDPR standards. We specifically process the data of our customers end-users in their video or audio calls.
GDPR regards controllers and processors as separate entities that must meet separate regulations. As such, we are required to comply with both the rules for controllers and processors.
From the inception of callstats.io, we have followed a lot of best practices. We have consistently minimized the personal data we collect from customers, and we ensure customers have always been able to control their data. For example, customers have complete control over conference identifiers and customer names in our REST API and client API. Additionally, we have guidelines in place to prevent employees without proper permissions from accessing personal customer data. These best practices made GDPR compliance a lot easier than it could have been.
However, we still faced some issues. For example, customers sometimes send user and conference identifiers that contains personal data (e.g., setting the conference ID to a personal phone number), which is not particularly responsible. Behind the scenes, we address this with industry-standard protection measures, including encryption and pseudonymization of potential personal data. As a result, we are able to achieve compliance without affecting customer experience. We addressed several similar issues to ensure we were properly following the GDPR standards.
There is a significant unknown and ambiguity that comes along with GDPR. Specifically, how will the courts handle these cases, what should we expect from the government as far as enforcement is concerned, and how will businesses we work with address compliance issues? In order to address that as effectively as possible, we worked to meet a singular goal.
callstats.io is committed to protecting all the data we handle.
How Have We Changed?
We are responsible for protecting all customer and end-user data we control and process. In order to accomplish this, we have made several enhancements to our system, both internally and externally. We focused on accomplishing this in the most customer-friendly way possible, and with as few changes that alter customer workflow as was feasible. In order to explain all of these updates, including what has changed, how things changed, and what it means for our customers, we will be discussing these in several upcoming blog posts. Furthermore, we will be notifying our customers via emails over the forthcoming weeks.
What Do We Recommend?
The number of organizations not ready for GDPR is pretty astonishing, especially considering the potential for substantial fines. If we could go back in time, we would say start early, and be thorough. In fact, following general best practices from the beginning can make the GDPR transition a lot easier.
Now, however, is the time to buckle down and get GDPR compliance under control - even if you have not started. This is an important set of regulations that could have a severe impact on your organization’s future and the future of your customers. Take it seriously.