The Why, What and How of GDPR for Telcos

Brice BERDAH

13 min reading time

GDPR for telcos

An overview of the impact of GDPR for telcos and the need for laws regulating data collection practices

Data protection can sometimes be seen as cumbersome. Even when the user benefits are apparent, forcing businesses to comply with yet another set of laws could be seen as a hindrance. Yet, we need persuasive regulations to make the Internet a safe and sane place where everybody can share and exchange.

Besides, the regulation isn’t just about protecting the users and preventing abuses from businesses; the goal of GDPR is to set up an adequate and practical framework for data collection practices for the whole European region. If GDPR is successful, it will benefit both the individuals but also the businesses that will enjoy a more predictable environment and more trust from their users.

THE CHALLENGES OF DATA PRIVACY ON THE INTERNET

The GDPR is particularly timely, considering the recent discovery by the general audience of Facebook’s abusive data collection practices, and the works of the whistleblowers over the last decade to unveil the scale of surveillance and data gathering operations, whether governmental or corporate to the public. Telecom operators, which hosts millions of sensitive conversations also played a significant role in the surveillance.

The lack of convincing data protection laws has tremendous negative consequences for users, but also for society as a whole. At the user level, it translates into a complete absence of control over their data: they don’t know who owns it or what they have on them. They have no visibility on which data points in particular are accessed, and why.

In case of abuses, recourses are hard if even possible. Overall, it’s clear on the user side that the current regulatory framework is dramatically outdated and doesn’t fit the realities of the Internet.

In this legal gap, a wide range of intrusive yet effective practices developed. GDPR will make some of them illegal, such as using an unclear wordings and unnecessary long terms and conditions to bury controversial clauses.

DATA PROTECTION FOR INDIVIDUALS

The societal consequences of an absence of a robust legal framework to protect consumer data are worrisome. It translates into the progressive disappearance of privacy and hijacking of political power by private interests. Industry actors (such as Cambridge Analytica) are gathering massive user files, made of several sources combined.

Putting it simply, a reliable data protection framework is among the necessity of healthy democracy. Without individual rights, democracy cannot function. The right to privacy is a very special one: it is foundational. Without it, essential civic liberties are reduced: freedom of expression, freedom of speech, and the ability for citizens to make a conscious and free decisions.

GDPR - Lady Justice

BUSINESSES BENEFIT FROM A FIRM DATA COLLECTION REGULATORY FRAMEWORK

The current data protection regulation laws are insufficient and detrimental not only to consumers but also for businesses.

For businesses, the main issue with the current regulatory framework is its fragmentation. Even if the EU tend to unify regulation, internet and telecommunication restrictions and obligations differ depending on the country. For telcos, navigating the different regulations is hard.

The fragmented patchwork of regulations makes it hard for all businesses to comply exhaustively. Moreover, the multiplication of interlocutors makes it even harder for companies to be proactive in their data collection practices.

Besides, the previous penalties fees for non-compliance were insufficient. When the fees get absurdly low compared to the amount at stakes, it triggers quite often the How much would it cost us to just pay the fine? reaction that is synonymous with a failure of the legal system.

HACKING THROUGH THE LOCAL REGULATORY JUNGLE

The flaws of the previous regulation framework are now quite apparent, but enforcement might be the real challenge. The law must be simple and clear enough to be applicable, before anything else.

If not, we land in the current situation: whatever the chosen government policy, the end is pretty much the same with a different front: a jungle.

  • The Wild Jungle: Countries with (current) insufficient, inexistent, or unenforced data protection laws or a mix of all three.
  • The Banana Tree Hiding the Jungle: Countries with very permissive regulations, so lax that their effect is close to null (such as the United States): a barely hidden jungle.
  • The Predator-Less Jungle: countries with stronger regulations but not enough enforcement/ not high enough penalty (such as European countries). Even in that case, businesses can do pretty much what as long as they are incorporated abroad.

GDPR - regulatory jungle

The previous European telecom regulations are a good example of how complex it can get. Laws surrounding shortcodes and phone numbers, SMS signaling and priority (Marketing/Notification), voicemail recordings and contact lists management could change significantly from one country to the other.

The extra-territorial applicability is arguably the main change brought by GDPR. Previously, the territorial applicability of data regulation laws was ambiguous. The main uncertainty regarded which law to apply:

  • The one of the business country?
  • The one of the consumer’s country, if different?
  • Or maybe even the one where the data was “processed”?

The territoriality of the laws was a big risk factor for telcos. Indeed, a lot of different countries can be involved in the data collection process. Consider a call center:

  • located in Tunisia,
  • calling customers from FranceItaly and Spain,
  • for a company based in Portugal,
  • using the services of a German software company to process its call data
  • Which law should the call center comply with?

The GDPR makes it clear: only the location of the customer does matter. The framework is now simple: whether the company is European or not, or whether it’s processing data from inside the EU or outside: all companies processing data of European customers must comply with GDPR.

The extra-territorial applicability of GDPR makes for a good transition into the spirit of it: the three-legged stand of GDPR.

THE THREE-LEGGED STAND OF GDPR

GDPR aims to create a modern data collection regulatory framework for Europe, which will be adapted to our current and future needs. The last (and first) European directive on data protection is from 1995, so it was needed.

The key principles of GDPR are similar to those of the first directive, yet many changes have been proposed to the actual policies. Let’s look at the significant changes, grouped in three categories for readability: privacy by design, data ownership and control, and finally consent and penalties.

I. PRIVACY BY DESIGN

The principle of privacy by design was coined almost thirty years ago already, to describe the idea of implementing data protection from the beginning of the designing phase of a product or service, instead of an addition.

In practice, it means that the system should only collect the data required for its functioning (data minimization), as well as limit the access to this data to the least amount of personal/services required for the processing.

GDPR - privacy by design

Privacy by Design Principles

This principle is a welcome and significant addition to GDPR, mainly the symbol it represents. In a world where all software and services are made following the privacy by design principle, data protection regulation would be redundant. Companies will not shift their perspective overnight because of a law, but at least it proves an understanding of the necessity of the privacy from the EU.

II. DATA OWNERSHIP AND CONTROL

GDPR - rights overview

Under GDPR, European users are given a whole new set of rights giving them more controls over the way online services can collect and process their data.

The diagram summarizes those new rights; we’ll detail the most impactful ones individually.

Those new individual rights will demand significant development in businesses handling customer data. For instance, they must now provide an interface allowing their customers to access, edit, and delete their data.

While big companies have already implemented such interfaces, smaller ones might need the help of third-party provider to comply. Exhaustive compliance will be a long process, and many companies including major ones will not be there for some time.

Data Portability

Data portability refers to the concept of making the user data easily transferable from one service to another. In practical terms, GDPR stipulates that a user must be able to access all the data he provided a given service with in a commonly use and machine-readable format.

Data portability makes it user for users to switch from one service to another and allow them to easily backup their data locally.

The data portability will be a hard measure to implement for the telecom operators. Different standards will have to be set so customers can take their data from one provider to the other. In France, it’s been the norm for telecom operators since 2007.

Telecom companies in general, which collect, store, and analyze massive volumes of customer data will have to rethink a large part of their processes, and potentially explore new revenue streams.

Right of Access

The right of access is a major shift for data transparency. Data subjects will be able to ask the controller (collector) if their personal data is being collected, where, and for which purpose. Along with the right to be forgotten below, both rights bring sensible limitations to the data collection practice.

Right to be Forgotten

The right to be forgotten is already implemented in some countries such as France. It gives the data subject the possibility to:

  • erase his or her personal data
  • cease further dissemination of the data
  • (potentially) have third-party halt the processing of the data

III. INCREASE RESPONSIBILITY AND FINES

GDPR - gathering consent

Image Source

The gathering of consent rules has been updated to accommodate the internet’s current reality: they are quite often stuffed with legalese to bury controversial terms and conditions. Now, the consent has to be given in an intelligible and easily accessible form, using clear and plain language. Finally, it must be as easy to withdraw consent as to give it.

Altogether the new rules surrounding consent gives the individuals more control while making questionable practices (legalese, voluntarily unclear terms and conditions…) illegal.

Penalties on revenues

Non-compliance penalties are significantly increased both in importance and scope. Companies can now be fined a maximum of 20€ Million or 4% of their annual global turnover, for the most critical violations such as violating the core of Privacy by Design concept or not asking customers for consent. The fines follow a tiered-approach. New violations are also now recognized such as not notifying the relevant authorities and data subject in the event of a breach, or not conducting a proper impact assessment afterward.

Data Protection Officers

Businesses which collect and process data at a large scale, or those which process sensitive data (medical, justice) will have to appoint Data Protection Officers.

The DPOs will be the main contact points between data protection agencies and the businesses. They must be free of any other task that could result in a conflict of interest, have access to the appropriate resource to carry their task, as well as the right skills. They must also be reporting directly to the highest level of management, and provide their contact info to the relevant DPA.

Finally, for data breaches, there is now an internal bookkeeping requirement: they will need to be reported to the European data protection agency.

GDPR - DPO flowchart

Does your company need a Data Protection Officier Flowchart? (DPO)

WHAT DOES GDPR MEAN FOR BUSINESSES?

GDPR will impact all businesses collecting and processing data. Online services, such as social networks will be heavily affected, but also any company handling large customer files such as a telecom operator or marketing companies.

We’ll consider the impact of the new law for telecom companies before we introduce resources to help you comply, whatever your trade is.

GDPR FOR TELCOS

Telecom companies will be sensibly affected by GDPR. Any business that transfer information for data warehousing, reporting and marketing purposes will now need to be ready to delete or ‘anonymize’ these data sets.

Data controllers will have to appoint Data Protection Officers (DPO) if the processing of the data is done at large scale. The enforcement data portability will also force telecom companies to provide their customer data in a standard format.

It might seem like a lot to change, but there is also some great news. The legal framework is unified for the whole of Europe: complying with one data protection agency’s regulation is much simpler than 27.

GDPR will require from businesses planning, frequent impact assessments, and the implementation of new procedures. Companies who already handle European user data must go through several procedures:

  • Ask new customers for explicit consent to collect and use their data.
  • Reach out to existing customers to review their data needs, and get rid of extraneous information.
  • Train their staff to ensure a continued compliance.

TTS (Tata Consultancy Service) produced a very comprehensive table summarizing the main changes telecom companies must implement:

GDPR - telco overview

GDPR - telco overview

AN OPPORTUNITY TO LEVERAGE THE PLAYING FIELD

Yes, the short-term implementation of GDPR compliance requires extra work for businesses. The short-term inconvenience will give businesses the chance to adopt better data management practice and improve their efficiency. If businesses are embracing GDPR and building reliable privacy mechanisms, they will gain the trust and loyalty of their customers and prospects, ultimately boosting their sales.

Be it for GDPR or not, they would have had to sanitize their practices anyway. More and more data are collected every day, but we’re only at the very beginning of a data explosion. With the development of the Internet of Things, data minimization will become crucial to preserve the efficiency of the networks.

RESOURCES TO FACILITATE COMPLIANCE

The specificities of GDPR compliance for each industry can be tedious, so here are some resources to help you comply. The first batch is for everyone, and then we’ll get into specific industries.

Before we dive into the industry-specifics, here is a very well designed checklist made to help you with GDPR compliance. The response received by the creators was so positive that the even created a tool to help you easily create GDPR-compliant forms.

If you are working in the telco industry, here is another good read to quickly grasp what will be required for GDPR compliance.

Resources for marketers:

Resources for HR:

CONCLUSION

Regulations are not just constraints. When they are carefully and collaboratively created and enforced, they can even represent an immense opportunity, by setting a clear framework everyone understands and trusts.

Nevertheless, no laws are flawless, and GDPR is no exception. While the new rights granted to the users are welcomed, they were designed making two assumptions:

  1. Centralized organizations are storing the personal data of EU citizens in a few locations.
  2. A world in which corporate leaders are responsible for implementing regulatory standards.

Because of this, blockchain based projects will soon prove to be a great challenge for GDPR. Indeed, there are two governing principles of the blockchain directly in conflict with the law:

  1. The network is decentralized, made up of thousands of nodes and computers spread around the world.
  2. Blockchains are immutable and generally cannot be changed once a block is created.

Let’s conclude with positive news then: it seems like we will not have to wait 20 years for the next update of the legal framework this time.