Have you heard of GDPR?

It is important to be aware of the General Data Protection Regulation (GDPR). The new regulation is expected to be implemented on the 25th of May 2018. As organisations, if you're based in a member state of the European Union you need to ensure that you adhere to and can demonstrate compliance with this new legislation as failure to comply could result in your organisation receiving a large fine. The legislation will also apply if your organisation handles the personal data of individuals residing in the EU, regardless of your location.

Artist's depiction of SIP security

As businesses, you must comply with this new legislation even though you might be thinking, 'what about Brexit?'. To answer to this question, the law will still apply to the UK because the process for leaving the EU takes two years. When the UK does leave the EU it must establish its own regulations, but in the meantime your company must continue to plan and prepare for the GDPR. Even after Brexit, if you process data regarding individuals to sell goods or services to citizens in other EU countries, you will need to comply with the GDPR, regardless of whether it is adopted by the UK.

If your business solely trades within the UK, then whether or not you need to comply with the GDPR post-Brexit depends on the outcome of the negotiations that are being conducted and Parliamentary events. While we cannot say with certainty whether GDPR will apply after Brexit, the UK Government has stated that they will develop similar legislation.

If you are a user of our Call Recording facility, you need to be aware that you are a Data Controller and also be aware of the additional clause to terms and conditions. You will need to log into our Portal and confirm your GDPR compliance in order to continue using the service after May 22nd 2018. You can log in here to do so: https://portal.orbtalk.co.uk Businesses who don't comply with the GDPR could be fined as much as 4% of annual global turnover or €20 million (whichever is higher) which could bankrupt many small and medium sized businesses, let alone the reputational damage that would result. However, this maximum penalty would be applied for serious offences. These rules apply to both data controllers and data processors. So, if you store customer's data in the cloud, you'll still be subject to GDPR.

What is the difference between a data controller and data processor?

When reading documents regarding the GDPR, you'll see a lot of references to data controllers and data processors. A data controller is a company that decides why and how personal data will be collected and the processor is a company that processes data on their behalf. For the purposes of our call recording service, we are a data processor and you as the customer would be the data controller.

GDPR Overview

You must check your procedures to ensure they comply with the rules contained within the GDPR, a summary of some of these rules is below.

Customer consent must be obtained in clear, unambiguous language

When obtaining consent from customers to obtain personal data, you cannot use complex legal language in the terms and conditions. This is to ensure that the request for consent is easily accessible. As part of this request, you'll need to include a clear reason for obtaining and processing the data and provide details of the length of time for which the data will be stored. If the data is being exported, the method of doing so must be given and the notice for consent must state that it can be withdrawn. The consent for the processing of data must be indicated clearly i.e. it cannot be hidden within other terms and conditions so that it would be difficult for an individual to locate it. You must be able to prove that consent was given if required by the authorities. Each purpose for consent must be approved separately unless it's appropriate to combine them.

Consent withdrawal

The process to withdraw consent must be as simple as the one to provide it.

Parental consent

Parental consent is needed to process the personal data of under 16s; individual members of the EU may alter this to a lower age but in any case this cannot be below 13.

The public sector

Public sector organisations or those that participate in large volumes of systematic monitoring/processing of sensitive personal data must appoint a Data Protection Officer (DPO) who has knowledge of data protection laws, is given the resources for their role and may be a staff member or third party. They can only report to top management and mustn't partake in any activity that could pose a conflict of interest. Data protection must also be prominent within the organisation.

Data breaches

Any data breaches which have the possibility of posing a risk to individuals must be reported to the Data Protection Authority (in the UK, this is tAdditonallyhe Information Commissioner's Office) by the data controller within 72 hours and the affected individuals must also be notified as soon as is practicable. They need to be notified of the contact details of your DPO if you require one.

Non-EU businesses

If you are a non-EU business that processes the data of EU individuals, you will need to appoint a representative in the EU.

Right of access

Individuals will have the right to request information about where and why data regarding them is being processed. Businesses processing this data will be required to provide a copy of the data held regarding the individual in an electronic format at no cost on request. They'll also have the right to request that their data be corrected, deleted or restricted (while a complaint is being investigated) or they can object to their data being processed by your organisation. Data controllers must respond within one month unless the case is complex, in which case they must respond within three months. You may be able to meet these rights with a self-care portal.

Data portability

The concept of data portability is being introduced; this will allow individuals to receive the data held regarding them and forward that data to another company in a commonly used electronic format. The data can also be transferred between companies electronically on the individual's request if technically feasible and the EU may also use competition legislation to prosecute organisations who do not transfer data electronically on request.

Privacy by design

Another new concept is 'privacy by design' which means that data protection must be an integral part of the design process of any new systems instead of a bolt-on at the end of the process.

Data retention

Article 23 states that you must only hold and process the minimum amount of data necessary for the execution of your activities and only permit visibility of this data by staff that need to process it.

Right to be forgotten

Individuals may request that their data be erased under a number of circumstances: (a). The data is unnecessary for the purposes of the processing, (b). Consent has been withdrawn, (c). Legal retention period has expired, (d). The individual objects to how or why the data is being used or (e). Illegal data processing under the GDPR. If you have made your data public and receive a request under the right to be forgotten, you will also need to notify controllers that process the data of the request (e.g. search engines that link to the data).

Data processor obligations

Data processors have a smaller but equally important set of obligations; they must have appropriate security measures and inform controllers of any breach that occurs. They cannot appoint any sub-processors without the controller's consent and they must comply with the same procedures as the processor. Any company that appoints a data processor should ensure that the agreement covers the minimum required standards. Processors may be liable to fines or claims if they fail to adhere to these measures.

Transferal of personal data

Personal data cannot be transferred outside of the EU unless the location that it is being transferred to has appropriate security measures.

Auditing of personal data processed

Businesses (data controllers/processors) must keep a record of the personal data that is being processed and the reason for doing so (unless they employ fewer than 250 people, the data processing is unlikely to pose a risk to individuals, the processing is occasional or it is not involving sensitive data) and must conduct an impact assessment when processing large volumes of sensitive data. These assessments must state how and why the data is going to be collected along with showing why it is necessary and proportionate and any risks that could arise from collecting the data. The DPA must be consulted if there would be a high risk in processing the data.

Changes for DPAs

DPAs will have greater investigation and enforcement powers, including access to premises, power of injunction and binding orders. However, they no longer have to be notified if you are processing personal data.

Additionally, transfers of personal data outside of the EU no longer have to be notified to the DPAs.


If you already have a data protection solution in place, we recommend that you ensure that it complies with the new requirements. You may also need to seek legal advice, update your terms and conditions and train your staff on these new regulations, along with regular refresher training.

If your organisation operates in more than one EU member state for example you carry out cross-border processing, you should determine your lead data protection supervisory authority and make sure you are up to date and meet the new legislation.

What we provide

Orbtalk specialise in SIP and VoIP solutions for business and are unique in this market space due to our global reach. This allows us to offer SIP Trunking and Cloud Phone Systems to organisations across the globe for single and multi-sited companies. Our global presence also means that we have one of the largest offerings of international numbers available from over 8000 destinations globally.

Request a Call Back
Call us on 0800 101 7000