Do GDPR and voice recognition go along?
GPDR, personal data, Privacy by Design… These are all words that have shaken the media landscape since 25 May 2018: the date of entry into force of the European Union’s general data protection regulation.
Voice recognition services, like other technologies, collect and use user data for different purposes. In doing so, they are directly affected by the new provisions in this area.
Ethical issues, fraudulent uses… how to reconcile voice recognition and the GDPR?
Through this article, we will give you the keys to understand the basis of the GDPR and how to choose the right solutions to preserve your personal information or that of your customers.
The GDPR (General Data Protection Regulations) is the new European framework governing the processing and use of personal data. It replaces the former 1995 charter to provide a legal framework, both for the EU as a whole and for the digital explosion we are experiencing.
As you may already know or have guessed, the main objective of this treaty is protecting personal data. These data take different forms: a name, a picture, an IP address, an email or postal address, a fingerprint, a voice recording etc. They are particularly sensitive because they can give rise to discriminations or prejudices. In the interest of users, they must be subject to a particular treatment, we’ll come back to it right after.
The scope of this protection is not only territorial. Indeed, on European soil, all companies, regardless of their size or sector or field of activity, are affected by the new regulation. In order to avoid any abuse, the companies outside the European Union are also affected by the provisions of the DGPS when they process personal data from the territory.
How to choose the right solution? Our advice.
Let’s go back to the main principles of the GDPR that you must systematically pay attention to when you are looking for a solution or a provider.
The explicit consent of the user.
One of the fundamental rules of the GDPR (which was already partially respected by companies before) is the user consent toward data collection. When it is a form to be completed, a checkbox must be provided to obtain the user’s agreement. In the case of speech recognition systems, this information can take different forms. It can be a pop-up on an application or a mention in the general conditions of use. The main idea is that the individual using the system should be able to see this statement and confirm or reject it.
The user’s access to its data.
The user must be able, at any time, to have access to all his personal information. This data can take different forms. In the speech recognition ecosystem, they are generally audio recordings and the results of additionnal processing that allow characteristics or habits to be deduced. In addition to access, it is stipulated that it has control over it, both in limiting their use and in rectifying them.
The right to erasure.
In direct connection with the previous element, the right to delete is a right specific to each user. It allows you to claim the deletion of personal information with the various actors who own or use them. The latter, in order to comply with the GDPR, have 30 days to respond to the user’s request and assert their right.
The Privacy by Design principle.
The protection of personal data must be imperatively integrated into the various technological solutions and this from their conception. This is not about connectivity. Although products/services that operate locally (without the use of the Internet) are Private by Design by nature, this does not prevent connected solutions (e. g. in the cloud) from adopting measures to preserve personal information.
The DPO (Data Protection Officer).
Finally, a DPO must be appointed within the organization when this one :
- is a public body or public authority carrying out the processing of data
- carries out basic activities, concerning the data controller or subcontracting, which consist of operations requiring regular and systematic monitoring by virtue of their nature, scope or purpose.
- manipulates sensitive data on a large scale such as health information, biometric data or political and religious opinions.
Its main missions are to :
- Educate and train collaborators and partners in the GDPR.
- Manage data protection and security processes.
- Cooperate with the supervisory authorities and prove compliance.
- Support user requests.
With these elements in your hands, you are able to define whether a company or department is in compliance with the GDPR. It is essential to make sure of this before making a decision. Compliance is fundamental today, whether you are a company or a user.
Speech recognition is impacted by the GDPR, as are all other technologies that have an impact on the user’s personal data. Some cloud-based systems will suffer from these new guidelines, in line with the obligations they bring.
Par exemple, comme dit précédemment l’utilisateur est en droit de supprimer ses informations personnelles à tout moment. Sachant que les systèmes actuels, pour la plupart, sont basés sur le Machine Learning qui impliquent l’entraînement de l’IA avec les données de l’utilisateur. En retirant cette ressource, le système pourrait manquer d’informations et donc de potentiel.
Cela influence notamment les entreprises à repenser la place ou du moins l’importance des données dans la conception de l’IA et de ses fonctionnalités. D’un côté, l’acquisition de d’informations est plus réglementée donc plus fastidieuse, et de l’autre côté les utilisateurs ont une influence significative sur l’utilisation et le stockage de celles-ci.