Speech analytics, powered by voice-recognition software and other AI tools, has ushered in a new era for extracting data from spoken conversations. This is opening up new ways for companies to measure any–and perhaps every–phone call for customer service, sales, internal meetings… the list goes on.
But at the same time, protecting your customers’ data is becoming a greater concern than ever, especially when it comes to the EU’s General Data Protection Regulation (GDPR). Let’s look at whether your plans to implement speech analytics, that include the processing of EU personal data, meets the guidelines.
Areas where speech analytics could run you into trouble
With speech analytics, there are three distinct steps involved: recording a call, generating a transcription, analyzing the results, and then transmitting them. Within each of these processes, there are seven main areas that you’ll want to ensure are above board.
- Lawfulness, fairness and transparency – Do your callers know they’re being recorded? Are you permitted to keep recordings in the countries where the call is coming from/going to? These laws differ on a national level (for example, in Belgium you’ll need consent from the call participants if the recording is made by a third party; in Germany, however, consent is compulsory on any call), as well as on a sectoral level (financial institutions must obtain consent when recording discussions that relate to certain types of transactions as described in the Markets in Financial Instruments Directive, or MiFID II), so you must be up to date with these laws in the countries where you operate. Remember GDPR is key, but it’s not the only piece of legislation you need to check.
- Purpose limitation – While there could be many purposes for recording or collecting personal data, the grounds for processing are limited under GDPR, especially if you process sensitive data. Your purposes may include, for example, protecting the interests of a customer with a support issue, or improving your company’s training or customer support by monitoring and analyzing calls to your company. You will need to find the legal ground for your processing, which for these purposes could be the protection of interests of data subjects (support) or a legitimate interest of your company (training).
- Data minimization – A continuation of the previous potential red flag–once the relevant data has been extracted, you won’t want to hold on to the recordings and transcriptions and potentially irrelevant personal data that goes along with it.
- Accuracy – Seems pretty straightforward: don’t store inaccurate, incomplete or misleading data derived from phone calls. But this could also include storing information that is out of date–as in expired identification numbers, old addresses or phone numbers, as well as general personal information (i.e., name, age, gender) collected for a purpose that is no longer relevant to your company when you first collected it.
- Storage limitation – How long will you hold on to your speech analytics data? Under GDPR, “forever” is no longer an acceptable answer. There are sectoral laws that require minimum retention periods. Calling back to MiFID II, these specific guidelines require you to store calls for five years. So you’ll need to know the specific retention laws within your sector. You’ll also be responsible for the way data is stored and processed by any third-party recording and/or analytics providers you use.
- Confidentiality and Integrity – That’s right, when you collect data with speech analytics you’re in charge of keeping that personal data private and unaltered. This means having the right security measures and personnel training in place to ensure you and your providers are keeping your customer data intact and protected from unauthorized access or disclosures.
- Demonstrating accountability – Last but certainly not least, if you can’t demonstrate that you’re following GDPR compliance, you’ll find yourself in hot water. This means documenting every step of the process, from call recordings to transcription and analysis, in a registry of processing activities. The relevant supervisory authority (such as the Belgian Privacy Commission or the UK’s Information Commissioner’s Office) may ask you for these records during the course of an investigation, so you’ll want to stay one step ahead. You’ll also need to find a solution for you and your suppliers to identify under which specific legal grounds you’ll be handling sensitive data and the steps you’re taking to minimize risk. Be diligent as well as transparent if you want to use speech analytics–or any form of data collection for that matter–if it involves processing any personal data from the EU.
What to look for in a GDPR-compliant speech analytics provider
When outsourcing your speech analytics processes that may fall under GDPR scrutiny, there are some things you should consider. For example, you should conduct a privacy and information security screening to verify appropriate compliance by the supplier. You may also want to choose a provider based in the EU with servers located within the EEA (European Economic Area). If this isn’t the case, make sure you agree on appropriate measures for making secure transfers and understanding the data-flows between the countries involved in the processing. It will be important as well to know whether your supplier trains their staff on privacy.
Here’s where Voxbone comes in. As a global communications provider based in the EU, our team has been living and breathing GDPR in anticipation of the May 25th implementation date. And Speech Analytics is no exception. We’ve been working with our analytics providers and examining our on-demand recording processes to give your business peace of mind when it comes to your data.
Want to learn more about the ways Voxbone can keep your business communications simple–and compliant–when it comes to speech analytics? Get in touch with a member of our team or visit Voxbone.ai to find out more.