In this article, we’ll look at how you can handle some common GDPR scenarios in your Zylinc solution:
What do you do when …
- … people want to know what data you have about them?
- … people want their data to be anonymized or deleted?
- … you have data about former employees in your system?
- … you have data about custom users, like a physiotherapist or the local carpenter?
- … you need to verify who did what on your system, and when?
- … you’re required to delete logs?
GDPR is the European Union’s General Data Protection Regulative. It aims to protect users of data-driven systems and services from misuse of their personal data. GDPR also applies to organizations situated outside the EU, if they process data for or about EU citizens.
Because a Zylinc solution stores and processes phone numbers, e-mail addresses, and other data that can be used to uniquely identify a person, people who use the Zylinc solution are affected by GDPR. That’s why, from Zylinc version 6.5, you get a bunch of features so that you can safely use your Zylinc solution under the GDPR requirements.
On a Zylinc solution, you manage GDPR in the Zylinc Administration Portal. To do that, you must either be an administrator, or your administrator must give you rights to manage GDPR.
When people want to know what data you have about them
With GDPR, people have the right to know what data has been collected about them, and how that data is used. In GDPR terms, that’s often called the right of access.
In the Zylinc Administration Portal you can quickly find data that the Zylinc solution has collected about a specific person. You can get the complete event log for calls, chats, and e-mails that the person who requested the data has been part of. You can then export the data as a CSV (Comma-Separated Values) file, and give it to the person who requested it. Be sure to verify the identity of the person who requests information before you give any data to them.
Hey wait! Isn’t there a risk that the exported data contains data about other people too? Yes, but we’ve taken care of that: Because there’s usually more than one party involved in a call, chat, or e-mail correspondence, all private data, such as phone numbers, e-mail addresses, etc., that isn’t about the person who requested the data, will be anonymized in the CSV file. That way you don’t compromise data about other people.
When people want their data to be anonymized or deleted
With GDPR, people have the right to have data that’s been collected about them anonymized or deleted. In GDPR terms, that’s often called the right to be forgotten.
In the Zylinc Administration Portal you can quickly anonymize or delete data that the Zylinc solution has collected about a specific person – again, be sure to verify the identity of the person who requests the anonymization or deletion before you anonymize or delete any data.
- You can replace all instances of the person’s phone numbers and e-mail addresses in the Zylinc statistics database with the letters GDPR. That’s actually pretty smart, because that way you can anonymize the data, but still keep it for use in your statistics.
- You can delete all A-number lookup results in the Zylinc statistics database for the person in question. A-number lookup is when the Zylinc solution uses the caller’s phone number to look up information about the caller in a CRM system, database, or similar, so that the agent has that information handy when they answer the call. You can also use A-number lookup to prioritize calls from specific people, or to move their calls to specific queues.
- You can delete all of the person’s chat conversations
- You can get a list of e-mails that the person who requested the deletion has been involved in, but you can’t use the Administration Portal to delete such e-mails. Why not? That’s because the e-mails might contain data that isn’t related to the person who requested the deletion, and if you delete that data, you could possibly violate the rights of other people. However, once you have the list, you can easily delete relevant e-mails from your organization’s e-mail system, if you’re sure that it’s safe to do so.
- You can delete any recordings of calls that the person who requested the deletion has been part of.
Hey wait! I work in a bank. Are we not required to keep recordings of investment advice and stuff like that? That’s true: Some organizations, for example in the finance sector, may be required by law to keep recordings of certain calls, e-mails, and chat conversations. When that’s the case, GDPR requirements rank lower. That means that you must not delete recordings, e-mails, or chat conversations in order to comply with GDPR, if another law or regulation tells you to keep them. Consult your organization’s legal adviser if in doubt.
Anonymize or delete all data after a certain time
If your organization has policies that require you to anonymize or delete all data that is older than, for example, three months, the Zylinc Administration portal helps you do that.
Former employees and custom users
If an employee has left your organization, you may be asked to supply, anonymize, or delete data about that person.
The same may be the case with data about custom users. Custom users are people whom agents, receptionists, etc. have added in their Zylinc clients in order to be able to easily view contact data about them, for example a physiotherapist that your organization often uses, or a town car driver that your organization likes to use for taking people to or from the airport.
The Zylinc Administration portal has dedicated features that help you handle data about former employees as well as custom users.
Administration Portal audit log
Reading this article, you’ll have realized that there’s a lot of GDPR stuff that you can handle in the Zylinc Administration Portal. But who did what in the Administration Portal, and when?
You may sometimes need that information, for example to confirm who exported some data. For this reason, the Administration Portal has an audit log. You view the Administration Portal audit log in the Zylinc Statistics Portal (look for Logs in the menu).
BTW, if you use the audit log to verify that somebody exported, anonymized, or deleted data as part of a GDPR-related request, note that the log will show who did the export, etc., and when, but not whose data was exported, anonymized, or deleted. If the audit logged showed whose data was handled, it would be a breach of the GDPR requirements.
Zylinc application logs
You can find and delete application log files for the Zylinc Windows services as well as Apache services for each deployed Tomcat instance. Of course, you also have the ability to only delete files from before a certain date.
If you want more information about how to comply with GDPR on a Zylinc solution, read the article Comply with GDPR (administrator’s view) on Zylinc unified help. If you don’t yet have access to Zylinc unified help, go to help.zylinc.com and request access. We’ll deal with your request as quickly as possible. If you’ve already signed up, but you’ve forgotten your password, use this procedure.
On Zylinc unified help, there’s also a short version for all of you agents and receptionists out there.
You’re often the people who get the actual GDPR questions or requests from people, but you may not have the rights to export, anonymize, or delete data yourselves.
The short version simply explains what’s possible, so that you can advise people about their options, and pass on the requests to colleagues who can then perform the actual export, anonymization, or deletion.