PureCloud and GDPR compliance
Read this article to learn how PureCloud addresses the GDPR and what your organization needs to know about PureCloud’s GDPR implementation. For a general overview of the GDPR, see GDPR overview.
The General Data Protection Regulation (GDPR) is an important change in data privacy regulation. Genesys PureCloud invested a significant amount of time in GDPR training for the Security and Compliance team. Training and certification from the International Association of Privacy Professionals (IAPP) began in early 2017. For more information about the GDPR, see GDPR compliance.
PureCloud commissioned a GDPR project to:
- Complete an updated data inventory and determine every location in which PureCloud stores/processes/transmits PII
- Design and implement a GDPR API for our customers to implement their customers’ requests to exercise their fundamental data subject rights
- Complete a Data Protection Impact Assessment
Is PureCloud GDPR-compliant?
PureCloud legal and technical professionals have reviewed the GDPR and completed training and certification provided by the International Association of Privacy Professionals (IAPP). In PureCloud’s role as a data processor, PureCloud has taken measures to meet the requirements of the regulations.
The GDPR requires in Article 28 that data controllers “shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures.” PureCloud has implemented these measures. Our subject matter experts can discuss them with you. For more information, contact us.
Is PureCloud GDPR-certified?
No GDPR certification exists for a cloud services provider such as PureCloud. However, PureCloud has undergone multiple independent reviews of our administrative, physical, and technical controls for other data protection regulations, such as HIPAA.
As a data processor, PureCloud implements appropriate technical and organizational measures. For details, see About security and compliance.
Where does PureCloud support GDPR compliance?
PureCloud supports GDPR compliance for all of the PureCloud deployed Amazon Web Services (AWS) regions.
Do I have to enable GDPR compliance?
You do not have to enable or configure anything within PureCloud for GDPR compliance. However, the GDPR may require a Data Processing Agreement (DPA) between you and PureCloud. The DPA covers personal data processing.
What are the GDPR requirements for Altocloud?
What is a DPA or Data Processing Agreement?
The GDPR requires in Article 28 that “Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.”
If you believe that you are subject to the GDPR, PureCloud is ready to discuss a DPA that meets these requirements. To receive a PureCloud DPA, contact us.
How should I respond to GDPR data requests?
PureCloud provides a GDPR API as the preferred self-service solution for PureCloud customers to respond to GDPR requests. The GDPR API enables responses to data subject requests to access, rectify, or delete their personal data in PureCloud.
How does the PureCloud GDPR service work?
What you need to know about the PureCloud GDPR API.
GDPR service endpoints
The GDPR service exposes two endpoints- a first endpoint for identifying the subjects that a given search term matches, and a second endpoint for actually initiating GDPR requests. The subjects endpoint accepts a single search term of a name, address, phone number, or email address, or social media handle, and returns a list of 0 or more matching subjects that consists of a userId, externalContactId, or dialerContactId. The requests endpoint accepts a single search term and a request type of Get, Export, Update, or Delete for responding to Article 15 (access), Article 16 (rectification), and Article 17 (erasure) requests. The requests endpoint accepts a single search term of a name, address, phone number, email address, social media handle, user ID, external contact ID, or dialer contact ID for initiating the specified GDPR request type. If the term is an id, then the service first resolves it into the corresponding resource (user, external contact) and includes the known fields in the GDPR request.
Subjects endpoint identifies subjects and search term matches
The subjects endpoint accepts a single search term of four types: name, address, phone, or email and returns a list of all the subjects that match the search term. A subject may be a userId, externalContactId, or dialerContactId. The returned list could contain zero subjects, a single subject, or many subjects.
PureCloud recommends using the subjects endpoint for every potential GDPR request to identify which individual(s) a subsequent request endpoint affects. By finding any subjects matching a search term, PureCloud customers can reduce the risk of unforeseen effects of a given GDPR request. The subjects endpoint can also be used to disambiguate results when a given search term matches multiple subjects. Specifically, since the subjects endpoint returns all matching subjects for a given search term, an API user may discover a more accurate search criteria for a subsequent GDPR request.
Requests endpoint accepts a single search term and specific request types
The requests endpoint accepts a single search term of any type (name, address, phone, email, user id, external contact id) and a single request type of Get, Export, Update, or Delete and returns a GDPR request which has been created and initiated. Export corresponds to an Article 15 (access) request, Update corresponds to an Article 16 (rectification) request, and Delete corresponds to an Article 17 (erasure) request. While the request type is “Delete” some services may anonymize personal data rather than delete. The actual processing of that request happens asynchronously. If the given term is a user id or an external contact id then the GDPR service first resolves that id into the corresponding user or external contact respectively, and includes all known fields from the user or external contact on the request, in addition to the provided id.
Customers use the requests endpoint to create an actual GDPR request. They should use the subjects endpoint first, to ensure the search term they use only affects the intended data subject. In the case where multiple criteria are known, they must submit multiple requests, one per term. It is strongly recommended that customers submit requests for every identifier known for an individual. For example, when an individual, or data subject, submits a request to the customer, the customer should collect the individual’s name, phone number, and email address, and submit GDPR requests to PureCloud for each.
PureCloud GDPR API rate limits
While the GDPR applies to data subjects in the European Union, the PureCloud GDPR API is available to customers in all PureCloud regions. However, the GDPR API has strict rate-limiting to maintain performance of the solution.
Can you provide an example of a GDPR data subject request response?
This example illustrates an effective response to a GDPR data subject request using the PureCloud GDPR API.
You receive a valid request from a data subject to delete their data. The data subject provided their name and email address.
- Make two separate subject API calls with the two separate identifiers (name and email address) that the data subject provided.
- Review the results of the subjects endpoint requests to disambiguate results and find matching subjects. Only those subjects that can be correlated with identifiers provided by the data subject are considered matching subjects.
- Make individual request API calls for each matching subject identified in step 2. If your two subject endpoint calls returned multiple objects, ensure that you make multiple request API calls, one for each matching subject. Otherwise, your response will be incomplete.
What if I cannot use the PureCloud GDPR API?
PureCloud recommends using the GDPR API as a self-service option for responding to GDPR requests. However if you cannot use the GDPR API and need assistance responding to a GDPR request, contact us.
How long will it take PureCloud to respond to a GDPR data subject request?
The typical response time for PureCloud to retrieve all personal data in response to an access or portability request is 1-2 days. Regarding a removal or “forget me” request under the GDPR, PureCloud will need no longer than 14 days to remove personal data or make it anonymous upon request.
What if an employee submits an Article 17 erasure request?
Usage of Genesys products requires processing of employees’ Personal Data (user’s name, work phone number, and work email) for proper functioning of the Genesys solution. Without storing this Personal Data associated with an employee, PureCloud could stop performing its function. Thus, for current employees, the processing of their Personal Data is necessary for the purposes of the legitimate interests pursued by the customer. Further, the customer may be required to keep employee interaction records in order to meet other regulatory requirements. Based on the lawfulness of this processing and the design of Genesys products, Genesys does not recommend erasing Personal Data associated with an ongoing user.
Can customers specify if personal data is deleted or made anonymous?
No. Some PureCloud services delete personal data upon request. Other services make personal data anonymous upon request.
Do I have any responsibilities for using PureCloud in a GDPR-compliant manner?
Yes. You can incorrectly configure certain services that store personal data. This prevents PureCloud from searching, accessing, or removing that data.
- Architect: Do not store personal data in flow names, flow descriptions, state names, task names, action names, VXML operation or parameter names, or prompt text to speech values.
- Directory: Do not store personal data in personal status.
- Web chat interactions: All web chat interactions containing personal data must be associated with a contact profile stored in External Contacts. There is no method to search for personal data stored in web chat interactions independent of External Contacts. If personal data is stored in a web chat through a custom variable, it cannot be found through the GDPR API unless the web chat is associated with a contact profile.
GDPR roles at Genesys
Genesys employees with roles related to GDPR:
- Chief Privacy Officer – William Dummett
- European Data Privacy Officer – Shahzad Muhammad Naveed Ahmad
- PureCloud Sr. Director of Security & Compliance – Eric Cohen CISSP, CIPM, CIPP/E