Outbound Contact Support for GDPR
Logging
Sensitive data masking in logs
Behavior of the OCS component in relation to handling PII data in the logs could be configured with set of options where should be defined in sections “log-filter” and “log-filter-data”.
The log-filter section contains configuration options used to define the default treatment of filtering data in log output. It defines the treatment of all KV pairs in the User Data, Extensions, and Reasons attributes of the log, and also defines the behavior of selected call handling (such as T-Servers) and reporting applications when processing call related data.
The log-filter-data section defines the treatment of specific KV pairs in the User Data, Extensions, and Reasons attributes of the log. It overrides the general settings in the log-filter section. This section contains set of the keys in the User Data, Extensions, and Reason where should be handled when they are printed out into the log files. Refer to Common Configuration Options section for full details on sensitive data masking in logs.
Log rotation
Logging could be configured with option “expire” which define either the log files will be expired and if so then the maximum number of days before log files are deleted.
Sensitive data masking in log files and log retention implements Privacy by Design GDPR requirement.
Refer to Common Configuration Options section for full details on log rotation.
Handling PII data
The PII data the OCS operates with consists of the phone numbers, company names and any user data are could be dynamically formed based on the business process. The company which implement the data structure of the user data based on the business process of the company should care about handling these user data. The OCS store these PII data in the databases in form of calling lists and additionally the PII data could appears in the different log files of the OCS component.
The following table summarizes OCS sources which could contain PII data:
| Source | Form of storage | PII data |
|---|---|---|
| Calling List(s) | Table in the relational database | Potentially any type of PII data, stored in user-defined fields |
| Application Logs | Flat file(s) | Potentially any type of PII data |
| Audit Trail Logs | Flat file(s) | Phone numbers |
| Do Not Call List(s) | Table in the relational database | Phone numbers, Customer IDs |
| GSW Request Log(s) | Table in the relational database | Phone numbers |
| Record History Log(s) | Flat files(s) | Potentially any type of PII data, stored in user-defined fields |
Databases
The OCS use databases for two types of entities Calling and Do Not Calling lists and GSW Request Logs. First of all, the database administrators should follow general rules for maintaining GDPR-compliant databases. The general approach is following.
- Design data location – operating systems, primary and backup nodes.
- Design data access – limiting personal data access to as few as possible persons and roles.
- Design data storage – different storage systems provide number of mechanisms allows to store sensitive data securely. It could be full or part data encryption, secure protocols and so on.
All these items implement Privacy By Design GDP requirement for Calling List.
If there are databases are not encrypted and contains the PII data, then these databases should be reviewed for sensitive data and corresponded records should be either modified or removed.
OCS database:
- OCS Calling Lists – these contain phone numbers and user-defined fields which could contain PII
- Do Not Call lists
- GSW Request Logs
Handling Requests
Find PII data
- Find all records in the Calling List where phone number equals given:
SELECT * FROM <cl_table_name> WHERE contact_info LIKE '<phone number>'
- Find all records in Calling List where user_field contains given identifier
SELECT * FROM <cl_table_name> WHERE <user_field> LIKE '%<identifier>% '
- Find data in Do Not Call Lists where phone number equals given.
SELECT * FROM <dnc_table_name> WHERE phone LIKE '<phone number>'
- Find data in Do Not Call Lists where Customer ID equals given.
SELECT * FROM <dnc_table_name> WHERE customer_id LIKE '<identifier> '
- Find data in GSW Request Log where phone number equals given.
SELECT * FROM <rl_table_name> WHERE phone LIKE '<phone number>'
Edit PII data
For archived calling lists it can be done using SQL queries.
For example, the following SQL statement will mask phone number in GSW Request Log where phone number matches given.
UPDATE <rl_table_name> SET phone = '***' WHERE phone LIKE '<phone number>'Similar SQL statement could be used for masking PII data in the Calling List:
UPDATE <cl_table_name> SET contact_info = '***', <user_field> = '***' WHERE contact_info LIKE '<phone number>'Please note, that it’s not recommended to update records which are retrieved or may be retrieved by OCS. To avoid updating such records, add the following clause to the WHERE part of SQL statement above:
record_status NOT IN (2)SQL Statement for Do Not Call List:
UPDATE <dnc_table_name> SET phone = '***', customer_id = '***' WHERE phone LIKE '<phone number>'Please note, that update in the Do Not Call list table will not update data in OCS memory immediately. This would only happen when Do Not Call list table is re-read by OCS (refer to https://docs.genesys.com/Documentation/OU/8.1.5/Dep/CallingLists#Rereading_of_the_Do-Not-Call_List )
Delete PII data
SQL query example for individual entries deletion based on phone number or unique ID stored in the user-defined field:
DELETE FROM <cl_table_name> WHERE contact_info LIKE '<phone number>'DELETE FROM <cl_table_name> WHERE <user_field> LIKE '%<identifier>% 'OCS Log files
All log files could be checked for containing of the PII data and if some PII data has been found then it could be either masked or removed from the files.
Log files:
- Main log
- OCS Audit Trail logs - https://docs.genesys.com/Documentation/OU/latest/Dep/ExtendedAuditTrailLog
- Record History logs - https://docs.genesys.com/Documentation/OU/latest/Dep/RecordHistoryLogging
Handling Log Files
Find data in log files
To find PII data in the log file, simple console utilities like grep could be used.
For example, the grep utility with regexp request under the log file will find all strings where contains the string like: SocialSecurityNumber: 123456789 But not masked like SocialSecurityNumber: *** grep -n -e "SocialSecurityNumber: \([0-9]\) " OCSLogFile.log
It implements Right of Access and Portability GDP requirement for log files.
Edit data in log files
For masking the PII data in the log files, the find and edit procedure should be implemented under the log files. It cloud be done with some already existing tools. It could be some special tools are designed for this purpose or with some general tools like SED in Linux based systems.
For example using SED utility with regexp request will update the log file in place and all strings like SocialSecurityNumber: 123456789 will be changed to strings like SocialSecurityNumber: ***
sed -i -e 's/SocialSecurityNumber: \([0-9]*\)/SocialSecurityNumber: ***/g' OCSLogFile.log
Delete data from log files
Deleting of the PII data from the log files also should be implemented using find and edit procedure. It also could be done either with special or with general tools. For example using the sed utility with regex request will completely remove the string where pattern SocialSecurityNumber: 123456789 has been found.
sed -i -e 's/^.*SocialSecurityNumber: \([0-9]*\).*$//g' tst.txt
The following example looking all log files are contains the pattern like SocialSecurityNumber: 123456789 and delete these files.
find ./ -iname "*.log" -exec grep -e "SocialSecurityNumber: \([0-9]\)" '{}' \; -delete