Software-as-a-Service (SaaS) provision is becoming an increasingly popular way of delivering many services, one of them being Telecom billing services. However current data protection laws in both the UK and EU present a number of challenges to SaaS providers.
Under the EU’s Data Protection Directive of 1995, which is law in all 28 EU member states, the transfer of personal data outside of the European Economic Area (EEA) is prohibited unless certain conditions are met. The directive defines the scope of what personal data is: “any information relating to an identified or identifiable natural person”. This fairly broad definition includes a wide range of information about a person or business, such as their name, address, IP address or credit card details. In the case of Telecom billing the information that is likely to be transferred is even more extensive as data like a user’s phone number and all phone numbers they have dialled along with the duration of the call, the operator used, etc… can all be traced back thanks to the extensive data contained in SMDR and CDR files.
Personal data can be transferred outside the EEA if it is being handled in a country that is on the European Commission’s (EC) list of countries or territories that provide adequate protection for personal data. Dynasoft Ltd is based in Jersey and Jersey is one of such place. The US is not included on the EC list of approved countries. Special provisions exist for Saas providers in countries such as Canada. UK Telecom resellers and operators need to ensure Canadian SaaS providers comply with the Canadian Personal Information Protection and electronic Documents Act. In Canada, this waiver only applies to providers that are regulated at a federal level, not at the provincial level. Furthermore, if the bona fide provider uses the services of a third party company that is not on the EC’s list (such as a US company that offers Cloud hosting services), then the EU/UK Telecom reseller and operator might still fall foul of the law.
The General Data Protection Regulation (GDPR) which comes into force on May 1st 2018 includes even stricter regulations when it comes to protection of EU citizens’ data. The GDPR applies to Personally Identifiable Information (PII). It mandates that all personal data should be stored with the explicit consent of the end-user. All parties involved in the processing and controlling of data are potentially liable under this new regulation. This new regulation applies to all companies based in the EU. Crucially this regulation applies to all worldwide jurisdictions where this user data is stored and processed. The GDPR is far reaching as it’s framework also includes solutions providers and businesses outside of the EU which nevertheless offer goods and services to residents of the EU.
The impact of the GDPR on Telecoms companies will be substantial:
* All transfers of information for data warehousing, reporting and marketing purposes will now need to be ready to be deleted or rendered anonymous.
* Explicit consent will need to be sought by providers whenever data and user information (CDR data,…) is likely to be stored and used.
* Any stored data will need to be separated from systems that process this data so that it is not unwittingly processed in other areas.
* The appointment of Data Protection Officers (DPO) will be required for data controllers should monitoring and processing of personal data be required.
* Data portability: Operators will have to be able to provide users a copy of their personal data electronically, using a structured and established standard electronic format. A data dump of tables and spreadsheets from lots of different sources will not be acceptable.
Penalties for non-compliance will be impactful:
* Harsh fines: Non-compliance will result in fines of up to 4% of global turnover or EUR20 million, depending on the nature of the non-compliance.
* Data breaches will be governed by stricter rules: It is now mandatory for organisations to notify the Data Protection authorities and customers within 72 hours of any breach of data.
Telecom resellers and operators in the UK must be aware of data protection laws to avoid regulatory breaches so as to avoid the penalties that result from compliance failures. Serious breaches of the Data Protection Act in the UK for instance can incur fines of up to GBP500,000.
-EU vs US-
A new regulatory framework is being worked on between the EU and the US. It is called the Privacy Shield. It imposes stronger obligations on U.S. companies to protect Europeans’ personal data. It reflects the requirements of the European Court of Justice, which ruled the previous Safe Harbour framework invalid. The Privacy Shield requires the U.S. to monitor and enforce more robustly, and cooperate more with European Data Protection Authorities. The new regulation comes into full effect in May 2018. The penalties for wrongdoing could be very severe so planning is critical. More on this can be found here.
Other jurisdictions have recently strengthen their Data Protection legislation with fairly stringent new legislations. In South Africa, for instance, the Protection of Personal Information (POPI) Act represents South Africa’s first comprehensive data protection legislation. It imposes a number of stringent obligations on everyone who processes personal information in any way.
It, for instance, introduces a mandatory data breach notification requirement. This means that entities handling private user data must notify the Information Protection Regulator (IPR) if there are grounds to suspect that personal information has been accessed or acquired by any unauthorised person.
The IPR has investigatory and enforcement powers, including the power to impose fines of up to ZAR 10 million.
The legislation also provides for criminal sanctions of up to 10 years’ imprisonment for obstruction of the activities of the IPR, and up to 12 months for other violation.
-How Dynasoft can help-
We can help you turn these regulatory frameworks into opportunities and help you improve consumer service, customer loyalty and trust and achieve greater business efficiencies. Governments are merely reacting to the dawn of big data and concepts such as the Internet of Things and businesses need to be ready to embrase this new reality.
Dynasoft Ltd has 14 years’ experience in the Telecom billing sector in over 40 countries around the world. Thanks to this unique expertise we can provide legal and technical consultancy and advice to ensure your processes are compliant with your local legislation.
Dynasoft Ltd makes it possible for Telecom operators to be fully compliant with all their local Data protection laws as all our systems can be hosted on the operator’s own systems or can be hosted by us in the cloud in any jurisdiction. You will then be able to access them anywhere using any Web browser.
Links: UK law | EU Data Protection Directive | EU General Data Protection Regulation