Both providers and users of speech technology have good reason to read the fine print and understand the implications of the European Union’s General Data Protection Regulation (GDPR,) which takes effect on May 25, 2018. Since GDPR requires opt-in customer consent before companies can collect, process, or store a consumer’s Personal Information (PI) data, and expands the traditional definition of PI to include a user’s location, health and genetic data, sexual orientation, race, ethnicity, religious beliefs, or political opinions, one could ask: what’s more personal than the sound of someone’s voice?

The GDPR’s guiding principles of privacy protection and data minimization mean that companies can only collect what they absolutely need to conduct their business, and consumers can request that companies show them the data it has saved about them. Under the GDPR’s “right to be forgotten,” consumers can also request that customers delete all their PI. While the regulation came from the EU, any entity that collects, stores, and/or processes PI for citizens of the EU is subject to GDPR, wherever they’re based. And with fines that can range up to 4% of annual global turnover or €20 million, whichever is higher, companies in the speech technology industry can’t afford to be cavalier. 

Transparency and Necessity

The GDPR may raise an awkward issue for the voice tech industry: it requires reminding customers that you’re recording, analyzing, and storing their conversations in the first place. As Richard Brown, director at activereach, a provider of internet, networking, voice, and security solutions, points out, “Most customers assume that their email communication with a company may be stored long term, but they don’t necessarily think that’s the case for a voice conversation.”

According to Brian Martin, regional director for the UK and Ireland for Spitch, a Swiss provider of solutions based on automatic speech recognition, voice user interfaces and natural language voice data analytics, transparency is key to good GDPR compliance. He says, “You have to tell your customer that you are collecting their voice print and mention the benefits of doing so – like faster service, personalized attention, and a higher degree of security.” The consumer should be offered the ability to opt out of having their voice data recorded – and be able to access services even if they do so.

Martin says GDPR is a firm reminder to businesses that recording phone calls shouldn’t just be done because it’s possible, but only when strict standards of necessity have been met. “Is it necessary for contract fulfillment, for a legal requirement like Markets in Financial Instruments Directive II [MiFIDII,] for the public interest, to protect the interests of both parties?” asks Martin. “Or is it in the legitimate interest of the recorder which, it should be noted, does not override the interests of the person being recorded?” In a world increasingly sensitive to data privacy concerns, those are questions worth considering whether or not a company is subject to GDPR provisions.

With regard to AI-enabled devices like Siri and Alexa that listen to surrounding conversations, vendors will likely have to gain permission from European consumers to record and store voices, and ensure that downstream applications are GDPR-compliant as well. Under GDPR, says Brown, “There are a lot of interesting questions right now about recording and capturing voices on devices,” noting that some vendors who encrypt such data can’t even access it themselves. 

GDPR as Opportunity

The upside for speech technology providers around GDPR is that it’s not about burdens and regulations. “Our ability to help companies and enterprises access data, analyze it quickly, and report back means GDPR gives speech tech companies promising long-term opportunity to demonstrate compliance with the regulation,” says Martin.

But with May 25 just a few weeks away, it’s compliance crunch time. “There are a lot of questions to ask: what data is being collected, how is it used, where is it stored, who has access, how is it shared?” says Martin. “Talk to a compliance professional with expertise in the vertical in which you work.”