GDPR Legislation Act May 25th 2018

Any and all non-support discussions

Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N

GDPR Legislation Act May 25th 2018

Postby dspaan » Mon Dec 18, 2017 4:57 am

Since i didn't find a topic about this i'm starting this discussion. Over here in Europe every company is working on this, i've heard Google even has a team of 140 people working on preparing for this new legislation.

When doing a search for 'vicidial gdpr' i only found this: https://bluetelecoms.com/gdpr-regulation-call-centres/

Regarding Vicidial this could possibly mean some changes are needed. I'm not sure at this point which changes entirely but an important aspect is the right to be forgotten and the right to request a copy of any personal data stored in their regard.

right to request a copy of any personal data
I've already received one request to provide a former client of an overview of the data we had in vicidial about this person. As far as we can see right now this includes the recordings!
So in this case what i did was did a lookup of the clients phone number and make a screenshot of the lead modify screen and a download of the recordings. This was then e-mailed to the client.
It could be useful to simplify this process so there is a button that exports all client data to a PDF file and downloads the recordings at the same time (maybe bundled together in a zip file?).

I found a nice topic on the GDPR on the Hotjar site:

https://www.hotjar.com/gdpr

In summary, here are some of the key changes to come into effect with the upcoming GDPR:


Expanded rights for individuals: The GDPR provides expanded rights for individuals in the European Union by granting them, amongst other things, the right to be forgotten and the right to request a copy of any personal data stored in their regard.

Compliance obligations: The GDPR requires organizations to implement appropriate policies and security protocols, conduct privacy impact assessments, keep detailed records on data activities and enter into written agreements with vendors.

Data breach notification and security: The GDPR requires organizations to report certain data breaches to data protection authorities, and under certain circumstances, to the affected data subjects. The GDPR also places additional security requirements on organizations.

New requirements for profiling and monitoring: The GDPR places additional obligations on organizations engaged in profiling or monitoring behavior of EU individuals.

Increased Enforcement: Under the GDPR, authorities can fine organizations up to the greater of €20 million or 4% of a company’s annual global revenue, based on the seriousness of the breach and damages incurred. Also, the GDPR provides a central point of enforcement for organizations with operations in multiple EU member states by requiring companies to work with a lead supervisory authority for cross-border data protection issues.
Regards, Dennis

Vicibox 9.0.1
Version: 2.14b0.5
SVN Version: 3199
DB Schema Version: 1588
Build: 200310-1801
dspaan
 
Posts: 1377
Joined: Fri Aug 21, 2009 1:40 pm
Location: The Netherlands

Re: GDPR Legislation Act May 25th 2018

Postby mflorell » Fri Mar 02, 2018 4:21 pm

We have just added new GDPR compliance features to VICIdial in svn/trunk:

http://vicidial.org/docs/EU_GDPR_COMPLIANCE.txt
mflorell
Site Admin
 
Posts: 18379
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida

Re: GDPR Legislation Act May 25th 2018

Postby scicali » Mon Mar 05, 2018 10:41 am

Another important aspect is "Privacy by Design" and "accountability".
To full GDPR compliance Vicidial need users and agents handling with strong security features: user expire, password expire, password change, force strong password ecc
scicali
 
Posts: 22
Joined: Thu Nov 28, 2013 6:21 am

Re: GDPR Legislation Act May 25th 2018

Postby mflorell » Mon Mar 05, 2018 2:49 pm

I haven't heard of "user expire" and "password expire" as security features before, could you explain exactly how those are supposed to work?

As for password change on a schedule, several studies and now the NIST itself have said that forced scheduled password changes make accounts less secure, as such that's not really something we're interested in adding to VICIdial.

As for forcing of strong passwords, we have always considered that to be an IT management function. Also, there is no standard for what a "strong" password is. Last year we changed VICIdial to allow for up to 100-character passwords, since the new NIST recommendations now echo what several security studies have shown: that password complexity is worthless, and the only thing that matters is the length of the password. I recently had to create a new account on a federal communication system and that system required passwords be 30 characters in length or more, with no special character requirements. Adding something like that would probably be the easiest kind of forced password security option for VICIdial.
mflorell
Site Admin
 
Posts: 18379
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida

Re: GDPR Legislation Act May 25th 2018

Postby dspaan » Mon Mar 05, 2018 6:06 pm

I think long passwords are better then complex passwords but for agents i don't know if this is practical. For admins, no problem. Also if you close all ports in yast (whitelisting), are these measures still neccesary i wonder? Wouldn't an attack from outside be zero to none? The only weak part is that a compromised machine within the LAN would be able to breach the system.

We do have some of our servers equipped with an SSL certificate because some companies require this. I had to hire a guy to setup Let's encrypt and setup a script that opens and closes firewall ports when renewing. It would be cool if that were included in vicibox.
Regards, Dennis

Vicibox 9.0.1
Version: 2.14b0.5
SVN Version: 3199
DB Schema Version: 1588
Build: 200310-1801
dspaan
 
Posts: 1377
Joined: Fri Aug 21, 2009 1:40 pm
Location: The Netherlands

Re: GDPR Legislation Act May 25th 2018

Postby scicali » Tue Mar 06, 2018 4:14 am

user expire -> if user not logged in, after x months will be disabled
password expire -> password change on a schedule

Strong password rules in Italy, from 2004, (first implementation of privacy rules) to protect "lead personal data" (phone number, address, age, name ecc)
at least one capital letter
at least one lowercase letter
at least one number
at least one special character
at least 8 characters long
password change on 60 days shedule
you can not use previous 3 passwords
if user not logged in, after 6 months will be disabled
You can not use you First or Last name in password

You consider only outside attack... but if your employee who wants to steal lead personal data?
During an assessment with an important italian telco, to match GDPR compliance, we will be:

encrypt server hdd that stores personal data (ie Vicidial db)
block usb storage in workstations
disable administraton privileges in workstations
not share lead personal data by mail (i.e. file to load or downloaded from Vicidial)
Use shared folders (or ftp or https download) to share lead personal data; protect by personal passwords, server hdd encrypted.
internet sites whitelist
S.O. and antivirus updated
hdd secure erase in decommissioned workstations
no lead personal data or saved passwords in workstation used more than one person (with same windows user profile)
https in outside connection
Firewall and intrusion detection systems
Data breach procedures
Disaster recover procedures

This to explain what GDPR is.. is not paranoia! is "accountability" concept. These are requests coming from a big Italian telco, which is one of our customers
scicali
 
Posts: 22
Joined: Thu Nov 28, 2013 6:21 am

Re: GDPR Legislation Act May 25th 2018

Postby dspaan » Tue Mar 06, 2018 3:15 pm

Hi scicali,

How far are you in implementing this list? The impact of the GDPR law is huge when you look at this.

Vicidial als has a feature to backup the database and files via FTP. Would this also be considered not compliant with GDPR you think? What about SFTP?
Regards, Dennis

Vicibox 9.0.1
Version: 2.14b0.5
SVN Version: 3199
DB Schema Version: 1588
Build: 200310-1801
dspaan
 
Posts: 1377
Joined: Fri Aug 21, 2009 1:40 pm
Location: The Netherlands

Re: GDPR Legislation Act May 25th 2018

Postby scicali » Wed Mar 07, 2018 7:10 am

I'm not so far, I consider about 60% of things in this list "basic security"; so they were implemented years ago.
I'm a php programmer from 2001 ad use vicidial from 2010, so i wrote a php application that synchronize passwords between the various company tools and match required password rules.

I have not considered ftp / sftp, but ftp transfer to internal ip is compliance. This is an example of GDPR "accountability" concept, if you think that ftp backup is not secure, you must implement SFTP.
And yes, GDPR impact is huge, all crm/application/software that contain EU citizen personal data must be updated, with "Privacy by design" and "accountability" concept.It's huge work!

I consider new GDPR features in vicidial, only the first step to compliance..
scicali
 
Posts: 22
Joined: Thu Nov 28, 2013 6:21 am


Return to General Discussion

Who is online

Users browsing this forum: williamconley and 128 guests