GDPR and Abacii’s Clients

The European Union’s General Data Protection Regulation (GDPR) will be in effect from 25 May 2018.

GDPR applies to any company that handles personal data, but appears to focus primarily on large-scale software businesses that provide a software service directly to many users. Such a software service may store many pieces of personal information about its users. The legislation also applies to non-EU businesses that offer services to users in the EU.

The goals of the regulation appear to be:

  1. To make businesses a) explicitly ask users to consent to the storage and processing of their personal information and b) delete this personal information when asked to by the user.
  2. To make businesses think carefully about how this personal information is stored and accessed and moved around within their systems. If necessary, these systems should be redesigned and rebuilt.
  3. To make businesses plan for and report data breaches in which unauthorised entities acquire this personal information.
  4. To specify methods that regulators can use to punish businesses that do not do (1), (2), and (3).

Some of Abacii’s clients operate services that store users’ personal information and may be subject to the GDPR. If so, they are required to assure themselves that their third-party contractors, such as Abacii, handle their data appropriately.

Data Management at Abacii

Data flows through Abacii’s systems in the following ways:

  1. Consultancy (e.g. writing and tuning speech grammars, prompt translation, code development). The data is stored locally at Abacii during a project.
  2. Transcription of audio data (a preparation step for consultancy work). The audio data is stored locally at Abacii during a project. It is usually also uploaded to a web server for transcription using Abacii’s custom web application. When logged in to the application, a transcriber can request a batch of audio data items. The batch is transferred to their browser and deleted when the transcriber requests a new batch. No functionality is available that allows the transcriber to download and store the audio items on their computer. After a transcription project has been completed, and the results have been transferred to the relevant person, the audio data is deleted from the web server.

It is worth noting that the audio data in (2) is highly anonymised. An automated call centre service will normally only ask for the user’s ID on a particular business’s system, rather than for personal information such as the user’s full name or email address. Additionally, conversations between a user and an automated call centre service are broken into many short segments and sorted into different categories for transcription – if a snippet of personal information occurs within a transcription, it is still very difficult to connect this to other information about the user that occurred within the original conversation. This segmenting usually occurs during data collection, before the data is transferred to Abacii. In the event of a breach of Abacii’s systems, a successful attacker would still need to invest a very large amount of time and effort in order to (perhaps) derive any usable personal information from the data.

For legal compliance reasons, it may necessary for Abacii to sign a data processor agreement with a client. Such an agreement will outline Abacii’s responsibilities regarding the handling of personal data.

Abacii has prepared a data processing agreement for use between itself and any of its clients. Please click the following link to download it: Abacii_data_processing_agreement.