Does your company process European personal data? Are you or your clients operating in Europe? If so, you’ve had since May 2018 to comply with the EU GDPR or risk fines up to €20 million.
A common and dangerous oversight in the GDPR and data protection strategies of Entertainment and Media companies is the processing of voice-data. Audio departments process and store high volumes of voice assets for dubbing & voiceover projects and they are rarely entered into structured compliance workflows.
In fact, compliance and data protection managers are often unaware this data is being stored and processed in-house.
1. Which Services are Processing Voice-Data?
Data protection officers are often surprised by the number of employees involved in the voice casting process. Depending on the size of an organisation, an Account Manger will assign the voice production of a project to a Project Manager, who may then assign the project to an audio localisation manager or external subcontractor.
Localisation managers will pull samples from their private casting databases, download samples from voice platforms, or request samples from colleagues to send to the Project Manager by email, who then sends the samples to the Account Manager, who in turn sends the samples to the final client in a casting proposition.
- Circulating samples are often saved by handlers, either inadvertently or for future castings
- Actors are often unaware their samples are stored in private casting databases, and while it seems obvious they would want to be referenced in these bases, GDPR and other data protection legislations require companies to obtain their authorisation for processing.
2. Name an “Honorary Voice-Data DPO”
Localisation professionals reception voice-data from multiple sources and a good compliance practice is to designate one voice-data reception point, an “Honorary Voice-Data DPO”, to centralise the data and monitor voice-data compliance and related workflows.
As with other organisational personal data, the “Honorary Voice-Data DPO” should structure and implement voice-data compliance workflows, for example :
- Requesting and recording actor autorisations
- Deleting non-authorised samples within a determined time limit
- renewing actor authorisations following a strict calendar (usually every 2 years)
- Processing modification / rectification / deletion requests
- Renewing actor consent once requested modifications are made
- Provide actor access to personal data (samples included – subject to additional legal restrictions and data protection rights) within 30 days of requests
- Add newly acquired samples to compliance workflows
Multiple services handle voice data in the localisation industry and the continual circulation of samples makes it challenging to structure compliance.
3. Define Voice-Data Policies for All Services
A good compliance practice to require all samples be routed directly to your “Honorary Voice-Data DPO” for compliance processing before they’re used in production.
Producers and project managers should route all incoming voice samples to your Voice-Data DPO, as well as samples collected during live castings. *Note : live casting recordings must be GDPR processed upon project completion if your audio team is keeping them for future casting projects.
Project delivery practices should be re-evaluated if your audio production teams are still delivering castings by email. Voice-data is often forgotten in out boxes, and final clients are not always aware they have GDPR obligations once they reception the data and a project has finished.
Don’t forget Human Resources teams who often receive unsolicited voice samples. They should either delete upon reception or forward them to your Voice-Data DPO for compliance management.
*Even if your HR department receives samples related to a specific project hiring, keep in mind the samples cannot be saved for future projects unless authorisation is obtained 100% independently of a work contract
4. Restrict Casting Database Access
Restrict data access to ensure the GDPR compliance integrity of your casting database.
For example, you might authorise all account managers, project managers and voice directors access to compliant voice assets, and limit access to media awaiting consent to only your “Honorary Voice-Data DPO”.
5. Confirm Vendor Audio Compliance
Non-compliant sub-contractors put the entire production chain at risk of fines up to €20 million or 4% of your last fiscal year, not to mention the potential damage to your brand. And while mandatory proof of voice-data compliance is becoming a standard request of key players in the E&M localisation industry, many vendors have not yet implemented audio compliance strategies.