5 important things to remember when protecting your customers’ personal data in the SMS market

Thaís Teixeira Bento unpacks some of the challenges telecommunications companies face in terms of compliance with data protection and related European Union legislative frameworks, and provides insights into how to better protect customer data.

Trust is a two-way street

During the 2021 MEF Connects Innovators event held online, one of the main topics discussed was the role of trust in the Messaging Business. The diverging interests of consumers and clients make achieving complete trust from both sides look very hard: seemingly, for earning more trust from one of the two sides, one must pay an equal coin of trust in exchange for the other. At GTC, we don’t see this conflict as a problem, but rather as a necessary challenge to overcome: we see the commercial opportunities as well as the sheer requirement that the maintenance of compliance presents. We believe that a customer relationship built on trust is the key to better business, leading to rising messaging traffic and, therefore, more businesses.

Protecting your customers’ personal data is as important as protecting your own information assets

Companies tend to focus on protecting their information assets rather than anything else. Although this subject always has been a “hot topic” from the legal perspective, personal data protection was never really at the forefront of companies’ concerns. Even today, most companies’ efforts, in terms of compliance, concentrate on the implementation of techniques and technologies aimed at information security. This is just a small part, though, of what is required to fully comply with personal data protection law. One should never make the mistake of not taking the product itself into consideration when assessing privacy risks and compliance – in our case, this is the SMS.

Location is an important consideration

The SMS contains both content data and metadata. While the first is rather self-explanatory, the latter is structured information whereby it is easier to retrieve the information source, being also called “data about data”: both could fall under the definition of “personal data” under Article 4 (1) GDPR. But how can metadata be considered within this definition? One example is the frequency with which SMS messages are exchanged between certain users. Metadata contains the SMS sender and receiver telephone number. Through this information, if not anonymised, it would be possible to identify the user, as well as where he or she is located. In this case, this data would clearly fall under the same definition of “personal data” under the GDPR.

Blog - protecting your customers’ personal data in the SMS market

Don’t let the fact that your telecoms company is seated outside of the EU lead you to a false sense of security! Due to its extraterritorial application, any company could be subject to the GDPR, provided that at least one of the possible criteria listed out within its material scope and one within its territorial scope definitions (found respectively in Art. 2, 3 GDPR) are met. Besides the application of the GDPR, for the telecommunications business within the European Union, the ePrivacy Directive (directive 2002/48/EC) applies as well. This directive momentarily regulates data exchanged through means of public electronic communication services such as mobile and landlines and via their accompanying networks, and they do not relate to solely personal data, but rather any information exchanged from end-user devices, therefore making the directive much broader. To further “scare” you (we hope not!), the word momentarily serves as a reference of the upcoming replacement of this directive with a reinforced regulation, which, if the latest released draft is approved, will align it further and enrich it with principles established in the GDPR, such as extraterritoriality and necessity to appoint a representative within the EU for non-EEA established companies. Finally, local laws and regulations cannot be dismissed.

The SMS – not simply for messaging anymore

The trend of SMS messaging is clear to see. With the rise of web-based messaging platforms, SMS has found new meaning as both a security tool and a vital aspect of marketing. In our interconnected world, traffic data is constantly increasing. This, in turn, makes the security and confidentiality of both content and metadata ever more valuable.

With this in mind, here are 5 important things to keep in mind to better protect your customers’ personal data.

(1) Regularly check your Technical and Organisational Measures (TOM). If you are working in a B2C environment you are most likely working with personal data. User data is an extremely valuable resource for any company, not just those in the telecoms sector. You should have adequate technical and organisational measures in place to protect such personal data. Cyber-security is essential to the messaging as it provides the reassurance that networks will not be vulnerable to cyber-attacks. Penetration testing and correct monitoring and management of cyber-security incidents must be, if they aren’t already, of the highest standard.

(2) The customer is the epicentre. Your business will thrive once your customer understands the value of the confidentiality of their related data and has turned this value into confidence, trust in your product and business. One way to show your trustworthiness comes courtesy of a GDPR requirement: the complete and timely handling of data subjects’ requests. There exists a variety of data subject requests, such as access, rectification, restriction of personal data processing, data portability or even erasure (the renowned “right to be forgotten“). A request handled with due diligence and care can only be seen as positive from the customers. Not to mention the fact that not processing requests this way is a violation of the regulation.

(3) Be transparent. It is crucial that you tell your customers how and on what grounds personal data is being processed. Transparency means having your privacy policy complete, easily accessible, easy to understand and directed to the public you are speaking to. In case of SMS being used for targeting children or in a cellphone registered to one, for example, the language must be clear enough for the child to understand the processing and purposes of the processing of the personal data. Telcos should also consider formulating a clear data retention policy, in order to not be caught between the user’s data protection right and the regulatory demands for retention and access of data.

(4) Know your partners. It is very important that you know who you are working with. Whether your partners are fully compliant with data protection regulations might even become your company’s problem! Having a due diligence process in place and doing an annual review of your partners is a must. To guarantee that the roles and obligations of both parties (Data Controller and Data Processor) are being followed, a Data Protection Agreement (in short, “DPA“) is required to be signed between the contracting parties, based on the obligations imposed by art. 28 (3) GDPR.

(5) Pay attention to cross-border data transfers. That you probably are going to have transfer of data cross-border is a fact. However, there are many ways in making sure that data is being transferred to a country that has an adequate level of personal data protection. Ensuring that the country has an adequacy decision from the European Commission, or, if not, there are appropriate safeguards in place, is how you can assure that the country in which the data is being transferred to will have the same level of diligence and attention with the data as the one required by any member of the European Union.

The data protection regulation can, at first, appear as an obstacle and result in costs to business development. However, when considering the GDPR, this should be used as an ally for companies, since companies that are in compliance with data protection rules are more attractive to consumers and guarantee, especially in the telecommunication industry, a great competitive advantage for those companies,  reinforcing customers’ trust when doing business.

At GTC, we are committed to compliance and data protection matters, and are always keen to share tips on how to protect consumer data with our clients. In doing so, we can ensure that our clients can gain the trust of their customers and enjoy a competitive advantage in the market.

Global Telco Consult (GTC) is a trusted independent business messaging consultancy with deep domain knowledge in application-to-person (A2P) services. GTC provides tailor-made messaging strategies to enterprises, messaging service providers, operators and voice carriers. We have expertise in multiple messaging channels such as RCS, Viber, WhatsApp, Telegram and SMS for the wholesale and retail industry.

GTC supports its customers from market strategy through service launch, running the operations and supporting sales and procurement. The company started in 2016 with a mission to guide operators and telcos to embrace new and exciting opportunities and make the most out of business messaging. For more information or industry insights, browse through our blog page or follow us on LinkedIn.

Any questions?