Genesys Cloud and GDPR compliance
Read this article to learn how Genesys Cloud addresses the GDPR and what your organization needs to know about Genesys Cloud’s GDPR implementation. For a general overview of the GDPR, see GDPR overview.
GDPR education
The General Data Protection Regulation (GDPR) is an important change in data privacy regulation. Genesys Cloud invested a significant amount of time in GDPR training for the Security and Compliance team. Training and certification from the International Association of Privacy Professionals (IAPP) began in early 2017. For more information about the GDPR, see GDPR compliance.
GDPR project
Genesys Cloud commissioned a GDPR project to:
- Complete an updated data inventory and determine every location in which Genesys Cloud stores/processes/transmits PII
- Design and implement a GDPR API for our customers to implement their customers’ requests to exercise their fundamental data subject rights
- Complete a Data Protection Impact Assessment
Is Genesys Cloud GDPR-compliant?
Genesys Cloud legal and technical professionals have reviewed the GDPR and completed training and certification provided by the International Association of Privacy Professionals (IAPP). In Genesys Cloud’s role as a data processor, Genesys Cloud has taken measures to meet the requirements of the regulations.
The GDPR requires in Article 28 that data controllers “shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures.” Genesys Cloud has implemented these measures. Our subject matter experts can discuss them with you. For more information, contact dataprivacy@genesys.com.
Is Genesys Cloud GDPR-certified?
No GDPR certification exists for a cloud services provider such as Genesys Cloud. However, Genesys Cloud has undergone multiple independent reviews of our administrative, physical, and technical controls for other data protection regulations, such as HIPAA.
As a data processor, Genesys Cloud implements appropriate technical and organizational measures. For details, see About security and compliance.
Where does Genesys Cloud support GDPR compliance?
Genesys Cloud supports GDPR compliance for all Genesys Cloud deployed Amazon Web Services (AWS) regions.
Do I have to enable GDPR compliance?
You do not have to enable or configure anything within Genesys Cloud for GDPR compliance. The GDPR API is available to all customers. However, the GDPR may require a Data Processing Agreement (DPA) between you and Genesys Cloud. The DPA covers personal data processing.
What are the GDPR requirements for Predictive Engagement?
If your organization plans to use Predictive Engagement to collect data about visitors’ activities on your website, you must follow steps for GDPR compliance. For more information, see Predictive Engagement and GDPR.
What is a DPA or Data Processing Agreement?
The GDPR requires in Article 28 that “Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.”
If you believe that you are subject to the GDPR, Genesys Cloud is ready to discuss a DPA that meets these requirements. To receive a Genesys Cloud DPA, contact dataprivacy@genesys.com.
How should I respond to GDPR data requests?
Genesys Cloud provides a GDPR API as the preferred self-service solution for Genesys Cloud customers to respond to GDPR requests. The GDPR API enables responses to data subject requests to access, rectify, or delete their personal data in Genesys Cloud.
Limitations of the GDPR API
The GDPR API is designed for customers that need to respond to individual data subject requests. The GDPR API is not designed for responding to bulk requests such as bulk data deletion. The GDPR API is subject to rate limits described in the API documentation. These rate limits may restrict attempted bulk operations in order to maintain platform availability.
How does the Genesys Cloud GDPR service work?
What you need to know about the Genesys Cloud GDPR API.
GDPR service endpoints
The GDPR service exposes two endpoints- a first endpoint for identifying the subjects that a given search term matches, and a second endpoint for actually initiating GDPR requests. The subjects endpoint accepts a single search term of a name, address, phone number, or email address, or social media handle, and returns a list of 0 or more matching subjects that consists of a userId, externalContactId, or dialerContactId. The requests endpoint accepts a single search term and a request type of Get, Export, Update, or Delete for responding to Article 15 (access), Article 16 (rectification), and Article 17 (erasure) requests. The requests endpoint accepts a single search term of a name, address, phone number, email address, social media handle, user ID, external contact ID, or dialer contact ID for initiating the specified GDPR request type. If the term is an ID, then the service first resolves it into the corresponding resource (user, external contact, dialer contact) and includes the known fields in the GDPR request.
Subjects endpoint identifies subjects and search term matches
The subjects endpoint accepts a single search term of four types: name, address, phone, or email and returns a list of all the subjects that match the search term. A subject may be a userId, externalContactId, or dialerContactId. The returned list could contain zero subjects, a single subject, or many subjects.
Genesys Cloud recommends using the subjects endpoint for every potential GDPR request to identify which individual(s) a subsequent request endpoint affects. By finding any subjects matching a search term, Genesys Cloud customers can reduce the risk of unforeseen effects of a given GDPR request. The subjects endpoint can also be used to disambiguate results when a given search term matches multiple subjects. Specifically, since the subjects endpoint returns all matching subjects for a given search term, an API user may discover a more accurate search criteria for a subsequent GDPR request.
For data stored by some Genesys Cloud features and services you must use the GDPR API with a subject. These services that require a subject to be included in the GDPR API request are:
Requests endpoint accepts a single search term and specific request types
The requests endpoint accepts a single search term of any type (name, address, phone, email, user ID, external contact ID, dialer contact ID ) and a single request type of Get, Export, Update, or Delete and returns a GDPR request which has been created and initiated. Export corresponds to an Article 15 (access) request, Update corresponds to an Article 16 (rectification) request, and Delete corresponds to an Article 17 (erasure) request. When the request type is “Delete” some services may anonymize personal data rather than delete. The actual processing of that request happens asynchronously. If the given term is a user ID or an external contact ID then the GDPR service first resolves that ID into the corresponding user, external contact, or dialer contact respectively, and includes all known fields from the user, external contact, or dialer contact on the request, in addition to the provided ID.
Customers use the requests endpoint to create an actual GDPR request. They should use the subjects endpoint first, to ensure the search term they use only affects the intended data subject. In the case where multiple criteria are known, they must submit multiple requests, one per term. It is strongly recommended that customers submit requests for every identifier known for an individual. For example, when an individual, or data subject, submits a request to the customer, the customer should collect the individual’s name, phone number, and email address, and submit GDPR requests to Genesys Cloud for each.
Genesys Cloud GDPR API rate limits
While the GDPR applies to data subjects in the European Union, the Genesys Cloud GDPR API is available to customers in all Genesys Cloud regions. However, the GDPR API has strict rate-limiting to maintain performance of the solution.
What if I am using the single customer view?
If your organization uses the single customer view, two or more external contacts can be merged when they represent the same person. This has two implications for the GDPR API.
First, the subjects endpoint could surface multiple external contact IDs that correspond to the same person (in other words, belong to the same merge set). When examining the response from the subjects endpoint, the caller should use the External Contacts API to determine which of the external contact IDs belong to the same merge set. To do this, fetch each contact and determine which ones share the same canonicalContact.
Second, when making a request to the requests endpoint, make only a single request per merge set for the canonical contact id in that merge set. The GDPR API will transparently duplicate the request for each external contact ID in that contact’s merge set and return the related requests in the “relatedRequests” field in the response body.
The related requests are independent, full-fledged requests. Each related request will succeed or fail independently from the others, and the result of each related request must be inspected individually. If one of the related requests fails, wait until all the related requests finish before retrying the request. This keeps the set of in-flight requests easy to understand. If you retry before all the related requests finish, duplicate checking should prevent the system from generating duplicate requests, if requests for other contacts in the merge set are still in flight.
For more information on the contacts data model, canonical contacts and merge sets, see Contact Merging in the Developer Center.
Does the search propagate searching based on data within an External Contact?
No. Customers may use an externalContactId as a subject. A contact with a matching externalContactID may include one or more additional types of Personal Data such as a work phone number, Cell phone number, or social media channel information. When responding to a GDPR API request with an externalContactID subject, Genesys Cloud does not automatically search the platform for Personal Data associated with that contact that is found in those fields. In this scenario, Genesys Cloud recommends that customers review a matching contact and any Personal Data included with the contact and submit any additional GDPR API requests with those subjects. As mentioned above, Genesys Cloud recommends using the subjects endpoint for every potential GDPR request to identify which individual(s) a subsequent request endpoint affects. By finding any subjects matching a search term, Genesys Cloud customers can reduce the risk of unforeseen effects of a given GDPR request.
Does the GDPR API also search file attachments?
ACD interactions, such as email interactions and message interactions (third-party message platforms, such as Facebook Messenger, WhatsApp, and Twitter Direct Message, Genesys Cloud web messaging, and open messaging) may receive personal data in the form of file attachments. Genesys Cloud does not search the contents of such attachments for personal data. Instead, a GDPR request will work with an External ID, and if that specific ID is used in the request, find the conversation and any associated file attachment. Later, the associated file attachments are included and/or removed in a GDPR API response to a subsequent data subject request.
As an example, when a data subject uploads an image through Facebook Messenger, Genesys Cloud uses the External ID to find the conversation and any associated file attachments and uploads it. Later, if the data subject makes an Article 17 erasure request to delete their information, the Genesys Cloud API will remove all files uploaded by that data subject regardless of content. In the example, Genesys Cloud would respond to the GDPR API request and remove the image uploaded by the data subject through Facebook Messenger, regardless of the actual contents of the image.
All ACD interactions containing personal data in the form of file attachments must be associated with a contact profile stored in External Contacts. There is no method to search for personal data stored in ACD interactions independent of External Contacts. If personal data is stored in an ACD interaction through a custom variable, it cannot be found through the GDPR API unless the interaction is associated with a contact profile.
Can you provide an example of a GDPR data subject request response?
This example illustrates an effective response to a GDPR data subject request using the Genesys Cloud GDPR API.
Request
You receive a valid request from a data subject to delete their data. The data subject provided their name and email address.
Response
- Make two separate subject API calls with the two separate identifiers (name and email address) that the data subject provided.
- Review the results of the subjects endpoint requests to disambiguate results and find matching subjects. Only those subjects that can be correlated with identifiers provided by the data subject are considered matching subjects.
- Make individual request API calls for each matching subject identified in step 2. If your two subject endpoint calls returned multiple objects, ensure that you make multiple request API calls, one for each matching subject. Otherwise, your response will be incomplete.
- Check whether the GDPR API generated any related requests as described in “What if I am using the single customer view?”
What if I cannot use the Genesys Cloud GDPR API?
Genesys Cloud recommends using the GDPR API as a self-service option for responding to GDPR requests. If you experience an error using the GDPR API, please submit a case through the MySupport Portal. If you cannot use the GDPR API and need to respond to a GDPR request, our Professional Services team can assist. Contact your Customer Success Manager to create a statement of work for this effort.
How long will it take Genesys Cloud to respond to a GDPR data subject request?
The typical response time for Genesys Cloud to retrieve all personal data in response to an access or portability request is 1-2 days. Regarding a removal or “forget me” request under the GDPR, Genesys Cloud will need no longer than 14 days to remove personal data or make it anonymous upon request.
What if an employee submits an Article 17 erasure request?
Usage of Genesys products requires processing of employees’ personal data (user’s name, work phone number, and work email) for proper functioning of the Genesys solution. Without storing this personal data associated with an employee, Genesys Cloud could stop performing its function. Thus, for current employees, the processing of their personal data is necessary for the purposes of the legitimate interests pursued by the customer. Further, the customer may be required to keep employee interaction records in order to meet other regulatory requirements. Based on the lawfulness of this processing and the design of Genesys products, Genesys does not recommend erasing personal data associated with an ongoing user.
Can customers specify if personal data is deleted or made anonymous?
No. Some Genesys Cloud services delete personal data upon request. Other services make personal data anonymous upon request.
Do I have any responsibilities for using Genesys Cloud in a GDPR-compliant manner?
Yes. You can incorrectly configure certain services that store personal data. This prevents Genesys Cloud from searching, accessing, or removing that data.
- Genesys Cloud Platform: Do not store personal data in custom attribute keys. This field will not be searched, updated, or removed by the GDPR API functionality.
- Architect: Do not store personal data in flow names, flow descriptions, state names, task names, action names, or prompt text to speech values.
- Directory: Do not store personal data in personal status.
- Web messaging interactions: All web messaging interactions containing personal data must be associated with a contact profile stored in External Contacts. There is no method to search for personal data stored in web messaging interactions independent of External Contacts. If personal data is stored in a web messaging interaction through a custom variable, it cannot be found through the GDPR API unless the web messaging interaction is associated with a contact profile.
- Web chat interactions: All web chat interactions containing personal data must be associated with a contact profile stored in External Contacts. There is no method to search for personal data stored in web chat interactions independent of External Contacts. If personal data is stored in a web chat through a custom variable, it cannot be found through the GDPR API unless the web chat interaction is associated with a contact profile.
GDPR roles at Genesys
Genesys employees with roles related to GDPR:
- Chief Privacy Officer – William Dummett
- European Data Privacy Officer – Shahzad Muhammad Naveed Ahmad
- Genesys Cloud Sr. Director of Security & Compliance – Eric Cohen CISSP, CIPM, CIPP/E