General Data Protection Regulation

NICE CXone complies with General Data Protection Regulation (GDPR). The purpose of the GDPR is to strengthen individuals' control over their data. The GDPR is a set of regulations and requirements established by the European Union (EU). NICE CXone has supported companies across the EU for many years. The GDPR applies directly to companies located in the EU. It also extends to multinational companies that do business in the EU. This page contains basic information on the GDPR and NICE CXone compliance.

The GDPR ensures:

  • Access: Enables end users to review and correct their data.

  • Erasure: Enables end users to request that you "forget" them. Companies can "forget" users by deleting or anonymizing their data.

  • Data Portability: Enables end users to move their data to another provider. Companies do so by providing a copy of the user's data in a machine-readable format.

  • Consent: Strengthens requirements around getting consent to process end-user data. Processing includes things like recording an interaction.

  • Data Access: Ensures that end user data doesn't move outside the EU without the assurance of adequate security control.

There are two areas of the GDPR that are most applicable to contact centers. They are consent and data access. The following sections discuss these areas in more detail.

Important GDPR Terms Applied to CXone

Before discussing consent and data access, it is important for you to understand the following definitions. These definitions are summarized from Article 4 of the GDPR:

  • Data Subject: A data subject is any "natural person" that can be identified with data being processed. Your customers are data subjects.

  • Data Controller: A data controller is an entity that determines both the "why" and the "how" for processing the data of a data subject. Your business unit is the data controller. Your business unit determines how data is processed, stored, and transmitted by the data processor.

  • Data Processor: A data processor is the entity that actually performs the data processing on the data controller's behalf. NICE CXone is the data processor.

The GDPR has strict regulations around consent. All processing performed on end user data requires a legal basis. This includes things like email transcripts and voice recordings. Consent to be recorded is part of existing laws. Your business units are likely already providing the following notifications to your users:

  • That their call may be recorded.

  • The purpose of the recording.

These notifications may not be enough under GDPR. It depends on the reason for recording. For example, you may legally be required to record the call if you are providing financial services.

Depending on the circumstances, obtaining explicit consent may be necessary. Obtaining explicit consent requires you to:

  1. Notify the end user, or data subject, that they might be recorded.

  2. Ask for their consent to record the interaction.

  3. Track their consent so your business unit can prove GDPR compliance.

NICE CXone provides a variety of product features that can help you track consent. For example, you can use features like IVRClosed Automated phone menu that allows callers to interact through voice commands, key inputs, or both, to obtain information, route an inbound voice call, or both. or pre-chat forms to obtain consent. You can then use CRM integrations to track that consent and demonstrate compliance.

Data Access

The GDPR requires you to process data within the EU unless you have a legal basis for doing otherwise. You risk non-compliance if you process data outside of the EU without legal bases. While consent is one way to ensure compliance, it may not be the most appropriate option. If you're a global company, tracking your own consent for each contact can quickly become unmanageable. CXoneservices can help you protect your customers' data and stay GDPR-compliant. There are several ways for you to provide a legal basis for data processing if tracking consent is too difficult.

NICE CXone ensures GDPR compliance by:

  • Implementing compliant development and operational processes.

  • Validating policies and practices through external audits. These audits include:

There is no standardized audit for GDPR compliance. These external audits help ensure that we are implementing the proper data protections into our system by design. NICE CXone can provide you with tools and design capabilities that allow you to be compliant. CXone products meet other technical requirements of the GDPR for your:

NICE CXone also manages any onward data transfers to partners and services. You can add services to your business unit that protect your and your customers' data when processed through CXone. These services allow you to isolate data from groups of individuals according to their definitions. Their definitions could include location. As the data controller, only you know how the GDPR applies to your provisioning and what services you need to be compliant.

NICE CXone only acts as a data processor, not a data controller. We do not directly interact with your customers, the data subjects. You, as a data controller, use CXone GDPR processes as you interact with your customers.

Other GDPR Requirements and CXone Services

Your contacts may request data transfers or erasure. You must fulfill these requests to be compliant with GDPR. The NICE CXone data processor support organization is ready to help you ensure compliance. You can submit your contact's GDPR requests on the Privacy page in Admin. After you submit their request, their data will be removed from CXone applications.

NICE CXone also offers professional services to help you meet your compliance goals. Professional services understand the capabilities of CXone. They can help you determine the right features for your business unit. They can also help you make any required changes.