Does your company process European personal data? Are you or your clients operating in Europe? If so, you’ve had since May 2018 to comply with the EU GDPR or risk fines up to €20 million.
A common and dangerous oversight in the GDPR and data protection strategies of Media & Entertainment companies is the processing of voice personal data. If your company creates or owns dubbed content, it is probable your audio teams are processing and storing high volumes of voice assets.
E&M compliance and data protection managers are often unaware this personal data is being stored and processed by their audio teams. These assets are subject to GDPR obligations and are rarely entered into structured compliance workflows.
1. Which Services are Processing Voice-Data?
Data protection officers are often surprised by the number of employees involved in the voice casting process. Depending on the size of an organisation, an Account Manger will assign the voice production of a project to a Project Manager, who may then assign the project to an Audio Localisation Manager or external vendor.
Localisation managers pull samples from their private casting databases, download samples from voice platforms, or request samples from colleagues to send to the Project Manager by email, who then sends the samples to the Account Manager, who in turn sends the samples to the final client in a casting proposition.
- Circulating samples are often saved by handlers, either inadvertently or intentionally future castings
- Actors are often unaware their samples are stored in private casting databases, and while it seems obvious they would want to be referenced in these talent bases, GDPR and other data protection legislations require companies to obtain their authorisation for processing.
2. Name a "Voice Data Manager"
Localisation professionals receive voice personal data from multiple sources and a good compliance practice is to designate one voice-data reception point, a “Voice Data Manager” to centralise the data, define and implement internal audio compliance workflows, and manage legal obligations such as:
- Requesting and recording actor consent of use (100% independent of work contracts)
- Deleting non-authorised samples within a determined time limit
- Renewing actor authorisations following a strict calendar (usually every 2 years)
- Processing modification / rectification / deletion requests
- Renewing actor consent once requested modifications are made
- Providing actor access to personal data (samples included – subject to additional legal restrictions and data protection rights) within 30 days of requests
- Ensuring newly acquired samples are entered into compliance workflows
3. Define Voice-Data Policies for All Services
A good compliance practice is to require all samples be routed directly to the Voice Data Manager for compliance processing before they’re used in production.
Producers and Project Managers should route all incoming voice samples to the Voice Data Manager, as well as samples collected during live castings.
*Note : live casting recordings must be GDPR processed upon project completion if they are saved for use in future projects.
Project delivery practices should be re-evaluated if your audio production teams are still delivering castings by email. Voice data is often forgotten in out boxes, and final clients are not always aware they have GDPR obligations once they reception the data and a project has finished.
Don’t forget Human Resources teams who often receive unsolicited voice samples. Samples should either be deleted upon reception or forwarded to the Voice Data Manager for compliance management.
*Even if your HR department receives samples related to a specific project hiring, keep in mind the samples cannot be saved for future projects unless actor consent is obtained 100% independently of a work contract
4. Restrict Casting Database Access
Restricting access to voice data is highly recommended to ensure the integrity of your GDPR strategy. Limiting access and modification permissions to specific personnel that need to process the data is good practice.
Companies might also consider only giving certain personnel access to compliant voice assets, and limiting access to data awaiting actor consent and/or treatment of actor modification requests to only the “Voice Data Manager”.
5. Confirm Vendor Audio Compliance
Add voice data compliance to your vendor risk assessments and insist on only contracting partners who can provide proof. VRAs focus on cybersecurity, internal operations, and regulatory compliance, and voice data conformity is often overlooked…a dangerous oversight your audio services lines should avoid.
GDPR introduces the notion of co-responsibility, this means that content creators are co-responsible for the compliance of their vendors, and vice versa.
One non-compliant stakeholder puts the entire production chain at risk of fines up to €20 million or 4% of global turnover, not to mention the potential damage to brand reputation. While mandatory proof of voice-data compliance is becoming a standard request of key players in the Media & Entertainment localisation industry, many vendors have not yet implemented audio compliance strategies.
Discover some of the cool updates we had up our sleeves. Import a list of roles directly to your casting Working on a project with
As published in the Reteller Magazine, October 2021 Issue – Written by Attorney Henri Leben, LEBEN AVOCATS, Paris. The voice constitutes personal data, and it
This long-awaited feature will amaze you! Now the people you share your castings with can comment on and rate samples. And with your authorisation – revocable
Webinar replay Mediartis is co-hosting a webinar with EGA (Entertainment Globalization Association) next Tuesday, October 19th at 5 PM (London) – 6PM (Paris) — 9AM
These new features simplify GDPR compliance management for both Mediartis users and talents validating their profiles and media. I. Compliance Validation after Personal Data Modification