Below the Surface of GDPR

The last minute exchange of data processing agreements are signed and many companies feel secure in their knowledge that everything is sorted, right?  In this short article, Lee Suker, XConnect’s Data Protection Officer (DPO), charts five experiences and activities XConnect have undertaken which require continuous attention and maintenance.

1. Understanding Data Supply Chains.

Understanding who is a data controller and who is a data processor is critical to defining any data chain. Personal data can flow both ways in a data processing request and it is easy to overlook your potential data controller responsibilities.  For example, making a request for information about a telephone number and receiving a response from a supplier like XConnect raises some interesting points.

– The Supplier is a ‘Processor’ for the scope of maintaining records of the queries received and the answers returned.

– The Supplier may also be a ‘Controller’ for the underlying data and service it provides in order to return the information queried. The Supplier could also be a ‘Processor’ if the service is based on the pass through of information from their suppliers.

– The Customer could be a ‘Processor’, if they follow the instructions of their customers, but more likely the Customer will be also be a ‘Controller’.

The UK’s Information Commissioner’s office provides some useful information to help you find the right answers: ICO Data Controllers and Data Processors : What the difference is and what the governance implications are.

2. Telephone numbers are highly likely to be personal data.

The most surprising outcome from market conversations over the last six months has been an opinion that Telephone Numbers are not personal (as defined by GDPR).  However, XConnect understand that many Telcos, A2Ps and information/data country regulators are taking the view telephone numbers are personal information and XConnect agrees.

We believe that Article 4 from the GDPR legislation makes it clear that Telephone Numbers are personal.  There are some cases that are less straight forward.  For example, is number range data personal information?  Probably not, but using number range data to determine if a telephone number is valid can create personal data.

3. Appointing a Data Protection Officer (DPO).

In some cases nominating a Data Privacy Officer (as defined under the EU’s GDPR) is voluntary, but even in those companies, doing so demonstrates an organisations commitment to the principles of data protection. A DPO has to have the relevant knowledge (and preferably experience) in Data Privacy legislation, and of course the greater the global knowledge (EU – GDPR, Privacy Shield etc) the better. In our experience, some companies have been treating GDPR as a one off exercise in contract preparation without recognising the enduring effort required to demonstrate accountability. ICO Data protection officers.

4. “Appropriate Technical & Organisational Measures” – Cyber Essentials

The title is a catch phrase you will have seen a great deal if you have been involved in your companies preparations for GDPR. Maintaining these measures is a full-time role requiring constant vigilance and process management, for example:

– Ensuring that your product teams are following the Privacy-by-Design policies defined by your data protection board.

– Information Security teams are adopting appropriate state of the art controls and management practices, such as those defined by Cyber Essentials (a UK government backed, Nationally Accredited Standard, which requires external audit), for which XConnect are certified.

Although the UK is one of the countries leading in cyber security, only 1% of UK organisations have reached the bar of Cyber Essentials.  You can find out more about this scheme developed by the UK Government and industry on this link: Cyber Essentials.

5. HLR Lookup remains secretive.

HLR Lookup is a service that provides mobile network information and some of the attributes include sensitive personal data. XConnect are aware that some MNOs and Privacy regulators are taking the view and approach that HLR is problematic and as a result we are see increasing controls / restrictions and withdrawal of service. In fact, we understand that using HLR Lookup can result in a breach of data protection principles as defined by Article 5.

At XConnect we do provide an alternative to HLR Lookup for routing applications and we are developing compliant solutions, under the product line Phone Intelligence to deliver additional services that in the past would rely on HLR Lookup.

The content on this website is provided for general information purposes only and does not constitute legal or other professional advice of any kind. 

Latest Posts