How Avaya Customers Can Make Sense of GDPR and BCR in Europe
Avaya solutions have always given customers data handling capabilities that can help them to meet their legal obligations with regards to personal data. At Avaya we are complying with GDPR and we are enabling our customers to meet their own GDPR obligations. We have worked on several different areas—here are the three most relevant:
Contractual Commitment to Privacy
Over the last four months, all of our customers and partners doing business with Avaya in the EU have received a personal data processing addendum for customer (DPA). This DPA applies to Avaya as the processor of personal data on behalf of our customers and partners. In essence, the DPA provides the necessary contractual rights so that our customers are in control of the data entrusted to Avaya to process and Avaya commits to adopting certain technical and organizational measures to protect the data.
It must be noted that there is no standard template that companies could use when implementing GDPR. Thus, companies drafted their own templates—some were very creative. The Avaya one is very simple, balanced, and customer-friendly. Avaya’s DPA template reflects only the mandatory requirements both parties have under GDPR. The Avaya team chose a hybrid model: all global customers and large tier one partners were addressed by the contract negotiators (CNs) personally who then entered into negotiations. In Europe, the CNs were very successful and reached agreement in almost all cases. All other customers and partners were approached by mass emails leading them to the electronic signature provider Docusign and the pre-signed DPA, providing them the opportunity to countersign electronically, which was the fastest and most cost-effective method.
Data Protection by Design and Default
It is important to note that Avaya’s portfolio of on-premise and cloud-based solutions already have embedded many technology features that help companies to meet privacy by design and default requirements. We are here to advise on the individual settings within your system and to work with our customers and partners teams to make sure they can use our solutions in the most privacy-enhancing ways.
International Transfers and the importance of Binding Corporate Rules
As a multinational organization, Avaya can provide world class support 24/7. To do this we use various locations around the world and offer such a service based on the follow-the-sun principle. This geographic diversity means personal data is processed from various international locations. Reflecting our commitment to data protection principles, Avaya has obtained approval of the European Data Protection authorities for our Binding Corporate Rules (BCR), both as a processor and as a controller of personal data. This approval speaks for Avaya’s uniform and advanced data handing practices regardless of whether your data is processed in the European Union or outside it.
This means that a company can share personal data internally and export it outside the EU without additional legal basis to do so. Since 5 February 2018, Avaya has been approved with BCRs both as a processor and controller of personal data, meaning that the approval spans all of Avaya’s personal data-handling practices. BCR approval is crucial for global companies that operate digitally across borders. Companies with BCR authorization should rightly be understood to have superior data handling practices.
At Avaya, we are delighted to have gained BCR authorization as processors and controllers of personal data and that we were able to prepare our customers well in advance for the arrival of GDPR.