GDPR compliance for Teleopti WFM

VERSION 1.1
October 24, 2018

The European Union General Data Protection Regulation (EU GDPR) impacts many Teleopti customers. The essence and purpose of GDPR is an important one: the protection of you and me as individuals by demanding respect and care when someone is processing information about us.
Ensuring GDPR compliance is an ongoing matter. With the information below we want to clarify where Teleopti WFM stands regarding GDPR.

WFM software deals with personal data and Teleopti is committed to the protection of it

Workforce Management Software deals with personal data. Personal data is always to be processed with respect and consideration – and in a secure manner. The protection of your data, including personal data, is of highest priority to Teleopti.

Regarding persons in the EU, data protection is also about complying with GDPR. The selection of software vendors is part of being compliant. However, in the same way that buying the safest car does not guarantee you’re safe from accidents, even if you are driving unsafely, it is not that simple. You will need processes and internal regulations in place to ensure software and technology is used in a GDPR compliant way. When it comes to WFM, we at Teleopti are committed to making GDPR compliance as easy as possible. 

Consider the main principles of GDPR and how they apply to Teleopti WFM

The main principles of GDPR has a direct impact on management of the workforce, and how WFM software is used.

Personal data should be processed lawfully, fairly and in a transparent manner in relation to agents. Apart from scheduling, agent data in Teleopti WFM is also often used for coaching and engagement purposes, noting where agents’ competencies lie, across which channels and skills. This is all to build a complete view of who your agents are, but it means a great level of responsibility as to how this data is used and what kind of conclusions are made from it. You need to be transparent with your agents on what information about them is stored by your WFM software.

Personal data should only be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. The data processed should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. As an employer, you need to process information on your employees, for example, for scheduling purposes. However, since Teleopti WFM offers flexibility in how to use the software, you need to analyze what data is being put in the software, how it is used, and how it corresponds to the legitimate purpose for your processing.

Integrity of data, keeping it accurate and up to date, is just as important to you as it is to the agents. Furthermore, a general principle of GDPR is that personal data shall be processed in a manner that ensures appropriate security of the personal data focusing on integrity and confidentiality. By using appropriate technical or organizational measures data should, for instance, be protected against unauthorized processing and accidental loss, destruction or damage. One contributing factor is to select software vendors that are committed to GDPR compliance and information security. Privacy and data protection is incorporated into Teleopti’s Information Security Management System. Organizational and technical security measures will ensure an appropriate level of security, based on information classification and risk assessments. The key aspects of Teleopti’s Information Security Management System are:

  • Confidentiality – preventing the disclosure of information to unauthorized individuals or systems.
  • Integrity – assuring the accuracy and consistency of data over its entire lifecycle.
  • Availability – ensuring information is available when needed.
     

Personal data should be kept in a form which permits identification of an agent for no longer than is necessary for the purposes of the processing and an agent has the right to demand erasure at this point. In Teleopti WFM, an automatic purge of data is set up based on a data retention policy for different types of data. Furthermore, it is possible to perform deletion of one specific agent. However, deletion of agent data can also be performed as pseudonymization, making an agent unidentifiable but without ruining the historical data used for scheduling optimization.

What is Teleopti doing when it comes to GDPR?

We train all our staff on information security, the importance of privacy and data protection, and on GDPR and how this applies to us, in our Teleopti WFM services, as well as our customer-related processes and internal processes.

We perform internal risk assessments regarding the types of personal data that are typically processed in Teleopti WFM as well as personal data processed by us as part of the services we offer. Furthermore, we make internal assessments regarding confidentiality, integrity and the availability of these types of personal data. Based on these analyses and the development of best practices we continuously revise our product roadmap, internal security requirements and customer related processes, such as customer support. Several adjustments have already been put into effect and more will be continuously rolled out. The analyses are being updated continuously as changes are made to our services.

Teleopti’s GDPR activities and compliance are based on “Teleopti Personal Data Protection Framework”, which is an internal policy document integrated into our Information Security Management System.

 

Privacy by design and default
Privacy by design and default is an important part of data protection. The latter meaning that privacy settings and security functionality should be standard, as opposed to something that might be switched on if wanted. For Teleopti’s development teams, privacy by design implies, for example, that privacy should be embedded into the design and cover the entire lifecycle, being proactive not reactive, and being preventative not remedial. All our system developers follow our internal coding principles on information security, data protection and coding quality.

 

Answering to data subjects’ rights
In accordance with the standard Data Retention Policy, agent’s will be automatically pseudonymized three months after, and automatically deleted three years after, their leaving date. This time frame is a balance between usability and legitimate purpose on one hand and the agents’ right to privacy and deletion on the other. The Data Retention time frames in your installation can be configured. If an agent requests to be deleted immediately or soon after his/her leaving date, you can use manual pseudonymization and make the agent unidentifiable instead of deleting the agent and his/her corresponding data. Using pseudonymization will not distort historical data while still fulfilling former employees’ requirements of not being able to identify their personal data. 

Guides on answering data subjects’ rights are available to our customers in the online help.

The use of sub-processors
In order to provide you with great support, Teleopti’s support function employs staff in Sweden, in the US and in China. In addition, we might on an ad-hoc basis use Teleopti staff within Teleopti group for specific activities and implementation projects. Standard Contractual Clauses are applied within the Teleopti Group.

Teleopti WFM Cloud is hosted over Microsoft Azure. Teleopti will not engage a new sub-processor without prior approval from the personal data controller. Teleopti ensures that any Teleopti affiliate, or subcontractor processing personal data on behalf of us, has an adequate level of protection and that appropriate safeguards have been put in place fulfilling the requirements of GDPR, either under the standard contractual clauses for the transfer of Personal Data to processors established in third countries, as approved by the European Commission in Commission Decision 2010/87/EU of 5th February 2010 (“Standard Contractual Clauses”), or having been certified under an approved certification mechanism, such as the EU-US Privacy Shield Framework or any approved certification mechanism replacing Privacy Shield.

When hosted over Microsoft Azure, the geographical location of your data will be restricted to specified Microsoft Azure datacenter(s). Microsoft has datacenters at several locations both within and outside of the EU/EES area. Your data is always separated from other tenants’ data.

Relevant sub-processors are defined in an appendix to our Data Processing Agreement.

Personal Data Breach Notification
Should a personal data breach occur, Teleopti will provide notification and information to affected customers so they can notify their supervisory authority in accordance with GDPR requirements. Such communication would be sent from our service desk to the Information Security Contact appointed by the customer.

Regarding prevention, detection and handling of personal data breaches, Teleopti has technical measures, processes and routines in place as part of the Information Security Management System.

 

What can you do right now?

As a personal data controller, you need to make sure that the way your organization uses your WFM software is compliant with the requirements in the GDPR. For example, do all types of personal data processed correspond to the legitimate purpose? If you have not done it already, you might want to assess the confidentiality and integrity aspects of the data you process in your WFM software.

For our customers we are providing more details on GDPR compliance in Teleopti WFM. Please log in to our Customer Center on www.teleopti.com or contact our service desk for a copy.

If you are about to become a customer to us, or if you as a customer lack a Data Processing Agreement with us, please sign our standard Data Processing Agreement for either WFM Cloud or WFM Product on premises  (https://www.teleopti.com/wfm/legal/dpa.pdf). Also, make sure that we have the right information regarding the Information Security Contact at your side.

Moving forward

Personal data is always to be processed with respect and consideration – and in a secure manner. The protection of your data, including personal data, is of highest priority to Teleopti and part of that is enabling GDPR compliance. Teleopti continuously delivers updates and improvements to Teleopti WFM. In addition to new product features and innovations, we have a high priority on features to enable and simplify GDPR compliance for our customers on our near-term roadmap. GDPR compliance was not a task ending in April 2018, data protection is continuous work and to us, business as usual.

Please note that Teleopti does not offer legal advice or GDPR consultancy.


View previous versions of this document

 GDPR compliance for Teleopti WFM - March 7, 2018