Callbox and the GDPR
The EU’s General Data Protection Regulation (GDPR) takes effect this month. As one of the most important pieces of legislation on data privacy, the GDPR includes some sweeping rules and requirements that will impact the ways businesses process the personal data of EU individuals.
At Callbox, we take this opportunity to enhance how we handle our partner’s and customers’ data. We’ve been working to make our data management practices more transparent and more secure, not only to help us prepare for the GDPR, but more importantly to maintain our commitment to the privacy and protection of your data.
Below, we talk about how the GDPR applies to Callbox and outline the steps we’ve taken to ensure we comply with the new regulation. Please note that the information contained in this resource is provided for informational purposes only and shouldn’t be construed as legal advice.
GDPR Overview
On May 25, 2018, the GDPR will finally come into force. The GDPR is a set of laws that greatly improves the protection of personal data for EU citizens and residents, while at the same time increasing the duties and responsibilities of companies that collect and maintain such information.
Here are some key highlights:
- It gives EU individuals more control over their personal information.
- It mandates additional requirements for organizations to protect personal data.
- It strengthens the roles and powers of EU data authorities and enhances fines and sanctions.
- It applies to all organizations that collect and handle the personal information of EU individuals, regardless of where an organization is located.
How the GDPR Affects Callbox
Callbox has no operations, employees, partners, or contractors in the EU. However, to the extent that Callbox “monitors” EU individuals via the Internet (for example, through their use and access of the Callbox website), we believe the GDPR may apply to us under this condition. This is accordingly where we focus the bulk of our efforts at GDPR compliance.
What we have done to comply
As of May 25 implementation of the GDPR, we’ve carried out a thorough review of our data processing practices and have taken the following steps:
| Requirement | Description | Status |
|---|---|---|
| Data Protection Officer (DPO) | We have designated a DPO to oversee GDPR compliance and carry out the responsibilities described under Article 37. | Completed |
| Security of Processing | Whatever data we collect and store, we ensure that these are all completely secure and have implemented SSL encryption on all our websites and online services for secure communication. We have also implemented real-time alerts, security logging and monitoring of our servers and online services and also do scheduled audit checks of server logs. | Completed |
| Lawful Basis for Processing | We have updated our Privacy Policy and Cookie Policy to clearly indicate that our lawful basis for processing personal information includes consent and our legitimate interests. | Completed |
| Conditions for Consent | We have taken steps to ensure that data subjects freely provide consent, and that consent is given through positive opt-in. | Completed |
| Rights of Data Subjects | Our updated Privacy Policy explains the rights of data subjects including the options to delete, update, manage, or download their data. Our updated privacy policy also informs data subjects the purpose of each piece of personal data we collect. | Completed |
| Data Protection Addendum (DPA) | We provide a DPA to all of our customers to supplement our Privacy Policy. | In progress |
| Breach Reports | We have implemented a plan to notify the right supervisory authorities and data subjects within 72 hours after discovery of a security breach involving personal data. | In progress |
| Controller-Processor Relationships | As data controller, Callbox ensures the security of data subjects’ personal data by signing data processing agreements with each of our data processors. | In progress |
Callbox’s Commitment to Data Security, Protection and GDPR Compliance
Callbox has committed to compliance with the GDPR and our services already include the functionality necessary for our operations and processes to comply. We have examined the relevant provisions of the GDPR that pertain to the data we keep and we are closely tracking additional applicable GDPR guidance being issued.
Steps taken concerning our contact database:
- Callbox has appointed a Data Protection Officer assigned the task of securing data and compliance with the GDPR guidelines.
- Callbox has implemented appropriate technical and organizational measures to ensure a level of security appropriate required by the GDPR.
- Since our target markets are North America and the Asia-Pacific, Callbox is not actively collecting any personal data on EU-member country residents. This is our assurance to clients that any data we provide them will not expose them to any risk of any GDPR penalties.
- To further guarantee compliance, we have searched our records for possible EU-member residents on our contact database based on the country they are in and we have removed their personal information which mainly consisted only of their company email address. Although these are company-assigned email addresses, they contained first and last name data which directly pointed to a specific data subject.
- Unique client-supplied data will only be used for that specific client’s campaign and is afterward removed from Callbox’s database after the campaign. Callbox will require assurance from the Client that any data turned over to Callbox is GDPR compliant.
