VIRTUATell GDPR Compliance

The new GDPR regulations came into force on 25 May 2018. For many months, VirtuaTell have been prepared to deliver GDPR compliant automated CX feedback surveys!

GDPR Background?

GDPR stands for General Data Protection Regulation. Set to be introduced on 25 May 2018, GDPR legislation defines how European personal data must be handled by anyone that stores or processes such details.

And as a company with a USA-based office, we are aware it’s not only businesses that are based in the EU that will be affected by the introduction of GDPR – the legislation applies to all companies that handle the data of individuals residing in the EU, regardless of the company’s location. And it’s not just the originating organisation that stores their data that must be compliant – anyone down the data processing chain must also be compliant.

Anyone using a survey service will need to partner with a supplier delivering GDPR compliant CX feedback surveys as the regulations will affect all companies storing and using personal data to collect customer experience feedback and failure to comply will lead to significant fines. As we know, the European Parliament allowed 2 years for businesses to comply with the new regulations, so there’s no excuse for not having the necessary procedures and protocol in place by the time the legislation is introduced

What data is covered by GDPR?

Any personal data such as the names, addresses, phone numbers, IP addresses, account numbers, email addresses, and demographics of EU citizens is covered by GDPR. This means, if you use email marketing, CX feedback surveys or direct mail, or you have a call centre that deals with EU customers, you must be compliant whether you’re based in the EU, the US, or anywhere else around the world.

Why does VirtuaTell need to be GDPR compliant?

The new GDPR legislation applies to us because:

  • We are a business in the EU that process personal data on behalf of other clients, in order to send out survey invitations and collect feedback.
  • We operate our services world-wide and as such, may process the personal data of European citizens, regardless of where they live.

Essentially, as we are based in the European Union, and deal with the data of EU citizens, we MUST be fully GDPR compliant or face heavy fines.

Which countries are classed as EU countries?

There are 28 countries within the EU: Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungry, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the UK. GDPR applies to citizens of these 28 countries, wherever they live in the world.

What happens if we don’t comply with GDPR legislation?

If we fail to comply with GDPR, not only our business, but our clients could also face a fine of up to 20 Million Euros

What GDPR checks should anyone make before using a service such as ours?

With the introduction of GDPR, it’s certain that our clients will only work with a fully compliant CX Feedback survey services, to avoid the risk of a huge fine!

In order to be fully GDPR compliant, we ensure the following is in place for our clients:

1. We have a written contract in place.
a. It’s important that there is a contract in place outlining the responsibilities and liabilities of both parties. Ultimately, our client is responsible for the compliance of the CX feedback service, so we make this very easy and straightforward to guarantee that the requirements of GDPR will be met at all times.

2. We have clear and published privacy and data protection policies in place
a. If anyone is communicating with your EU based customers, it is essential they have publically accessible information about how you collect information from them, how it is used and how it is protected and kept private. Almost all countries have data privacy laws that require that anyone collecting personal information needs to have a statement on how and why they do so, and that includes the EU.

3. We have an appointed data protection officer
a. Any business that conducts large-scale personal data processing, must have a named Data Protection Officer in place. This applies to all companies in our field operating CX feedback, as only companies with appointed Data Protection Officers are permitted to process EU data.

4. We have documented, clear, GDPR compliant data processing rules for every item of data we are given
a. As a professional CX feedback supplier that handles client data, VirtuaTell documents exactly what data handling options we have agreed with our clients, before, during and after we have processed their data. Typically, that will include the following options, each option having the capability of occurring at a specific time or delay. In addition, the options can operate as part of the pre-processing data stage, post-processing or feedback collection stage;

Delete After processing the source file, delete the file
Pseudonymise Selected fields within a data record are replaced by one or more artificial identifiers, or pseudonyms using a private key, held securely off-site by a single VirtuaTell Data Protection Officer only.
Anonymise Converts data into a nonhuman readable and irreversible form, including preimage resistant hashes (e.g., one-way hashes).
Redact Removal of some data content, replacing it with a random encryption which indicates the removal of the data.

Does VirtuaTell use Privacy Shield certification?

VirtuaTell does not use Privacy Shield certification as it is considered inferior to GDPR.

Privacy Shield allows US companies to self certify for European Data Protection laws, but does not guarantee that they comply with GDPR, and according to the European Commission, Privacy Shield still needs to address a number of serious areas before it can be considered GDPR compliant, namely:

  • Must prevent false self-certification
  • Must raise public awareness of how to exercise their rights
  • Needs to develop closer co-operation between privacy enforcers
  • Must appoint a Privacy Shield Ombudsman

So, here at VirtuaTell, we’re fully compliant…

At VirtuaTell, we’ve always taken the security of our clients’ data seriously, and we are – and have been for some time – fully compliant with GDPR, so our clients can rest assured that their data will be safe, secure, and used only in line with the very latest EU regulations.

For further information about GDPR and how we adhere to the new regulations, please do not hesitate to contact us.