Jump to: navigation, search

Jdruker/GDPR

Start of the existing Security Guide GDPR page

General Data Protection Regulation (GDPR)

Important
This page will contain information about GDPR and its implementation by Genesys products. this page will go live on May 25, 2018.

What is GDPR

The General Data Protection Regulation (GDPR) is a rule passed by the European Union in 2016, setting new rules for how companies manage and share personal data. It addresses the export of personal data outside the EU. The GDPR is applicable for enterprises across globe that store EU citizens data.

The regulation applies if the data controller, an organisation that collects data from EU residents, or processor, an organisation that processes data on behalf of a data controller like cloud service providers or the data subject (person) is based in the EU. The regulation also applies to organisations based outside the EU if they collect or process personal data of individuals located inside the EU. Genesys is considered a data processor under these terms.

What data comes under the scope of GDPR?

According to the European Commission, "personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address." This data is called as Personally Identifiable Information (PII).

Rights defined by GDPR

The following Rights are defined by the GDPR:

Xavier, this reads like design spec discussion. It should be reworded to talk directly to customers. Some suggested examples below.

Right Description
Right of Consent In general the Genesys platform does not collect data outside of what is necessary and determined to meet the use cases of our customers, and we do not utilize any of this data for our own purposes for which we would require consent (note we may collect aggregate or pseudo-anonymized information for purposes like statistical and best practice analysis). Additionally, our customers often collect information which may be duplicated in our platform for purposes unrelated to our platform that would need to be in scope of any data controller consent agreement.

Requirements to meet Right of Consent apply outside the Genesys platform. In general, Genesys does not collect data unless it has been determined to be necessary to meet the use cases of customers, who are the data controllers from the point of view of GDPR compliance. Although Genesys might collect aggregate or pseudo-anonymized information for purposes such as statistical and best-practices analysis, Genesys does not utilize customer data for purposes that require consent from consumers. However, be aware that data controller consent agreements should consider information you collect for business purposes, but which might incidentally be captured in the Genesys platform (for example, in a transcript record).

For these reasons right now we believe that to meet right of consent is outside our platform and there are no specific requirements related to this right. However, in the future we may consider providing complementary support to our customer's such as ability to put consent notices on consumer facing functionality.

Right of Access and Portability This is similar to case of "Forget Me" in that the data must be able to be found, and that the compliance requires only that this be possible, but usability suggests we should make it reasonably easy. Similar to forget me, if we will only hold the data for an ephemerally (< 30 days), it is not mandatory to include such data in scope of Right to Access export.

Again at minimum here, there must exist capability in customer exposed functionality to be able to find and provide this data. But goal is, like with deletion to provide standard shared mechanism to take centralized input, automate processing across solutions and gather together output package

Right of Erasure (Forget Me)

Xavier, move this up a row, before Right of Access?

As we are holders of EU citizen data for purpose of executing processing on behalf of our customers, we must provide adequate support for the data controller's to be able to meet this right. At a bare minimum this means that our customer's must be able to request through Customer Care that we execute processes to adequately forget an individual (subject to exceptions under certain conflicts with other regulatory or legal obligations). However, it is a much more desirable state where our customer's administrative personnel are able to self-service execute such actions.

To meet this at a minimum there must exist capability in customer exposed functionality to be able to perform such deletion in a manner that does not negatively impact stability or accuracy of our platform. Note that in order to forget an individual does not necessitate actual deletion. In some cases to maintain our data models it may be necessary to redact with pseudo-anonymized information rather than actually delete data content.

However, for sake of customer convenience, an approach where unique product specific approaches for each possible use case of forgetting has to be self-service executed by our customer's administrators is not a user friendly approach. To provide our customer's better service instead we are seeking as a start as a standard approach to take centralized input about a consumer and automate processing of this data across solutions.

Breach Notification Since Genesys does handle EU citizen PII, this is definitely in scope of our responsibilities collaboratively with our customers. Genesys maintains a Product Security Incident Response Team (PSIRT) to support such scenarios. No technical requirements are necessary to address this right.
Privacy by Design Privacy by design means that systems will be designed with appropriate security measures such that PII will be properly protected. No GDPR specific requirements are created to address privacy by design, because we already have security requirements applicable to protection of our customer's data. See Security for more information.

Products

End of the existing Security Guide GDPR page

Start of suggested additions (after deleting the above "Products" subhead).

Genesys implementation of GDPR support

Brief general description of the process: Customers provide consumer-identifying input for GDPR requests (forget me and/or export). The input is in the form of JSON files uploaded to a configured, tenant-specific location. Genesys products process these files on a regular basis, usually daily, to execute the requests.

Important
In general, Genesys support for GDPR compliance is based on default configuration settings and typical application usage.

Terminology

  • Forget Me -- Clarify that it does not mean "forget me forever" (i.e., a "forget me" request applies only to existing, not future, data).
  • customer vs. consumer (= customer's customer)
  • redact vs. delete -- Clarify that Genesys products do not delete information. They redact data. CONFIRM -- is this is true for all products?
  • export -- Clarify that, in this context, it means Right of Access info. But some products might use the term to mean something different in other contexts (e.g., GIM has a data export feature, whereby whole database tables are exported to customers).

Input and output file location

The customer specifies the location for each tenant’s JSON files in the [gdpr].gdpr-directory option on the Annex tab of the Tenant configuration object. Genesys has no special requirements for the location of the directory. The gdpr-directory option must simply specify a valid path that both Genesys and the customer can get to.

All Genesys products use the same tenant-specific directory for the input and output files (if the product provides them) for that tenant. The customer is responsible for maintaining this directory. Is it worth pointing out that customers shouldn't delete or overwrite an input file before all products have had a chance to process it?

JSON input files

There are separate input files for Right of Erasure and Right of Access requests:

  • forget-<DDMMYYYY>-<any optional content>.json
  • export-<DDMMYYYY>-<any optional content>.json

The date part of the file name (<DDMMYYYY>) is expected to indicate the date the file was created, to maintain file uniqueness. Genesys products do not use this information to trigger or manage request processing. Using timestamps in the file system, products process any files added or modified for that tenant since the last time the product processed GDPR requests.

File specification

The JSON specification for the forget and export files for GDPR requests is identical. CONFIRM

  • "caseid" — (Optional) Holds customer case numbers, for possible use by Customer Care to supplement customer self-service.
  • "consumers" — (Required) Holds an array of individual "consumer" elements, so that GDPR requests from multiple consumers can be processed at the same time.
    • "consumer" — (Required) An individual consumer for whom a GDPR request is being submitted. Each consumer may be identified by one or more of the following attributes, specified in an array:
      • "phone" — Phone number, without separators
      • "email" — Email address
      • "fbid" — Facebook ID
      • "twid" — Twitter handle
      • "wcid" — WeChat ID
      • "name" — Given name
      • "ipaddr" — IP address

In addition, there are optional application-specific elements:

  • "intauto-fields" — Note that in Colin's design doc, this is called "appauto-fields". Holds an array of Intelligent Automation fields?
  • "gim-attached-data" — Used by Genesys Info Mart to target custom user data attached to interactions and custom Outbound Contact Server (OCS) fields used in Outbound Contact campaigns. Custom user data and custom fields contain data for which customers configured customized storage in the Info Mart database.
    • "kvlist" — Holds an array of the custom user data KVPs and custom OCS fields that might contain PII.

Example

{
   "caseid":"123456789",
   "consumers":[
      {"consumer":
         [
            {"name":"John Doe"},
            {"name": "John Q. Doe"},
            {"phone":"555551212"}
         ]
      },
      {"consumer":
         [
            {"name":"Dan Akroyd"},
            {"phone":"555556161"},
            {"phone":"555556162"}, 
            {"email":"danny@hollywood.com"},
            {"email":"funnyguy@comedy.org"},
            {"fbid":"Dan Akroyd"}
         ]
      }],
   {"gim-attached-data":{"kvlist":["AcctNum", "SSN"]}}
 }

Output Files

After Genesys products process input requests, they provide two types of output:

  • For Right of Access requests, an export of the PII data relating to the requesting consumer(s). If the export data is provided in a JSON file, the file name is <component>-<DDMMYYYY>-access.json.
  • An execution report for audit purposes, detailing the execution results for forget-me and export requests. If the audit report is provided in a stand-alone file, the file name is <component>-<DDMMYYYY>-execution-log. File type?

Output files are placed in the same GDPR directory as the input file, with the date part of the file name indicating the date the file was created.

Genesys support for GDPR, by product

Genesys products have implemented support for GDPR in a variety of ways. See the following pages for details about product-specific aspects of the GDPR implementation.

Xavier, if you rename all the product-specific pages so they use a consistent prefix (or suffix) -- e.g. {{#topic:GDPR-GVP}}, {{#topic:GDPR-GIM}} -- you can use the following template call here to automatically generate a list of links that will be self-maintaining:

{{MiniTOC|pattern=%System:SDG:GDPR-%:{{PONYDOCSVERSION}}}}

This page was last edited on May 3, 2018, at 22:18.
Comments or questions about this documentation? Contact us for support!