Five Tips for Managing Voice Data in the GDPR Era

Article Featured Image

The United Kingdom’s Information Commissioner’s Office ordered the nation’s tax authority to delete 5 million voice recordings used to provide biometric authentication for British citizens by June 5, 2019, ruling that since callers weren’t given the chance to provide consent or to opt out, the tax authority was violating the European GDPR legislation.

The legislation, which went into effect a year ago, require explicit consent for any form of biometric authentication, highlighting some of the challenges of how to manage voice data in a post-GDPR world.

Speech technology experts offer the following five tips:

Use Data Mapping

To comply with the GDPR, companies need to implement data mapping to understand the clear role in the flow of data, says John Samuel, executive vice president and former CIO of CGS. “They’ll need to revise their privacy and cookie policies, and add consent provisions to websites. To ensure compliance, they should implement written agreements with clients and vendors and, where needed, provide Employee Awareness training. Call center agents especially should go through mandated GDPR awareness training that outlines the key areas of GDPR and compliance.”

Voice data is no exception when it comes to compliance and data protection, Samuel adds. “With the advent of speech analytics with neuro-linguistic programming (NLP) and natural language generation (NLG), the challenge becomes even harder. Voice recordings and data should follow similar to general data mapping and protection guidelines.”

Be Diligent About Deleting Archived Voice Data

Voice data is unstructured, so the information isn’t as easy to track as structured data, says Siobhan Miller, vice president, portfolio market strategy at Verint. As a result, the voice data may exist in different files in different areas of the organization. So if the consumer requests that the voice data be deleted, the organization needs to find any area where it exists and ensure that the records are deleted—unless it is being retained for HIPAA and similar regulations that supersede GDPR (it is unlikely that this data is in a voice format). Ensuring that the voice data is tagged upon capture will help automate the search function, making later deletion much easier.

“If you ask for someone’s consent for collecting the voice data, make sure you have a way to track it,” Miller says.

Ensure Encryption

The voice data needs to be encrypted in transit as well as at rest, Miller points out. Many organizations encrypt data at the disk level or at another level “at rest,” but don’t have it encrypted when it is being transmitted, making it vulnerable to attack. Encrypting the data in transit will protect the information in the event of a breach as well as alleviate some potential fines as well as some of the notification requirements.

Minimize Data Collection

GDPR again highlights the adage of not collecting unneeded data, says Pearl Lieberman, product marketing manager at NICE. “The management of voice data, or any other digital channels data, requires the ability to minimize the collection and processing of personal data by way of applying efficient data tagging and system visibility. All data processors should be able to know why and where their customers' PII (Personally Identifying Information) is collected, and leverage dedicated mechanisms to automatically purge the system and protect information with encryption.”

Automate GDPR Compliance

Automate processes wherever you can, Miller says. “Relying on manual processes—an agent to enter a customer ID on a record or flag a call as including consent creates risk. You don’t want to create situations where an agent switches focus from making sure the customer needs are met to handling a checklist of activities you need to ensure you’re GDPR compliant later—things like entering an ID number or checking that consent was given.

“Manual processes create variability,” Miller adds. “An agent seeking to assist a customer or take on the next interaction may inadvertently overlook a compliance task. If you automate, you create consistency across all interactions without burdening the agent or impacting levels of customer service.”

Lieberman agrees: “Taking into account the velocity of voice data in the contact center, these tasks necessitate analytics and automation to assure a successful strategy.”

SpeechTek Covers
for qualified subscribers
Subscribe Now Current Issue Past Issues
Related Articles

Protecting User Data: How Close is the US to its Own GDPR?

GDPR has already had wide-ranging consequences for companies collecting data, and now some are calling for federal regulations in the U.S. Voice-data isn't exempt from the regulations, and vendors need to be ready.

Q&A: Deborah Dahl on Natural Language Understanding

Jim Larson talked to Dr. Deborah Dahl, Principal, Conversational Technologies about the increasing importance and capabilities of natural language processing, speech recognition, and

Software Inside the Hardware: Unlocking the Skills in a VUI

Much as developers rushed to put new apps onto Apple's App Store in 2009, we're seeing a bit of a gold rush to develop new skills for voice assistants. But developing for a VUI is an entirely different challenge.

Apple to Let Users Opt Out of Siri Response Grading Over Privacy Concerns

Apple has temporarily suspended its Siri response grading program over privacy concerns and says users will be able to opt-out in future iterations of its popular voice assistant.

Ethics and Algorithms—Exploring the Implications of AI

Concerns have been voiced about how AI and speech technologies are now being used, but solutions are not clear-cut