CDSA

The General Data Protection Regulation (GDPR) considers an individual’s voice to be personal data so media and entertainment (M&E) companies must respect voice actor rights and process voice personal data in full compliance with its requirements … or risk paying the price, according to Convergent Risks.

Failure to be in compliance can lead to penalties of up to 20 million euros or 4% of the last fiscal year’s turnover, risk of litigation from a high profile individual or damage to a companies’ reputation should a breach arise.

As content localisation continues to skyrocket, dubbing and voiceover service providers are in higher demand than ever. As part of this process, voice data is circulating globally, often non-secured and unmonitored, in different in-house departments. These databases are rarely cleaned and often contain thousands of voice recordings.

The “central focus” of GDPR is to protect personal data, Stephanie Iyayi, SVP of legal affairs and data protection officer at Convergent Risks, said March 22 during the panel session “CPS@CWMF: Voice Casting Databases and the GDPR: a Ticking Time Bomb?” at the eighth annual Content Protection Summit Europe.

The panel session took a deep dive into key issues around compliance, co-responsibility, actor database management, security and client casting delivery on a global scale.

The event was held in conjunction with the sixth annual Content Workflow Management Forum at the Cavendish Conference Centre in London and as virtual events via the MESAverse, allowing for remote attendance worldwide.

If you ask somebody what personal data includes, they’re likely to say names, addresses or maybe even their likenesses in photos/images, Iyayi said, noting it’s pretty rare for somebody to think of one’s voice.

“But personal data is exactly that: It’s any information that can be used to identify” somebody, she said.

What is unique about one’s voice is that it can reveal information including one’s ethnicity via an accent or if they have a medical condition such as Parkinson’s disease, she noted.

Because voice is “at the heart” of the M&E industry, it’s easy to see how it can be a major risk in the sector, she said, adding it’s also “subject to the strictest protection” under the GDPR.

Meanwhile, there is a misperception that GDPR only impacts EU companies. But “it really does have a global reach,” she pointed out, noting that can be overlooked and often “trips people up.”

Additionally, 70% of the countries in the world have some form of data protection regime in place and many of them are modelled after GDPR, she said.

The “core concept” of GDPR “centres around accountability,” so organisations must not only comply with GDPR but also be able to demonstrate that they are substantially compliant with the regulation, which involves making sure that certain procedures are put in place including proper security measures, she added.

Even the industry’s talent, including voice actors, often aren’t aware that GDPR covers voice, moderator Chris Johnson, Convergent Risks CEO and president, pointed out.

So part of the purpose of the session was designed to “make people more aware of what is captured by the legislation” because reputation is the largest risk and can be “game over” for a company, he said.

Agreeing with him, Nicole Quilfen, chief operations officer at Paris, France-based voice casting software developer Mediartis, said casting databases have been compiled by M&E companies over many years very often and the data comes from many sources, making it hard for the companies to track where the data all came from.

“The problem is that most of the industry is unaware that voice is protected and so the compliance of these assets has been widely ignored,” she said, noting her company developed a solution that automates most GDPR obligations.

M&E companies must maintain control of all their assets, she warned, noting there is often no way to control it as soon as it leaves the organisation. Companies are, however, increasingly becoming aware of the responsibilities they have, she said.

One of the Mediartis solutions enables companies to verify a vendor’s compliance, she added.

The “key” issue is that companies have all this data that’s been collected by them over many years and they indeed don’t know where it all came from, said Michel Golgevit, president of Keywords Studios, a videogame services company in Paris, France.

“During the casting phase, the key point is, as voice is personal data, this is data we cannot share, we cannot transfer,” but it is often being shared anyway, Golgevit said.

Concluding the session, Johnson said: “I think the message to take away is to be prepared. Don’t get caught cold on this. It can be a very expensive thing to get wrong. Unfortunately, it is an overlooked subject in the industry. There’s a lot of non-compliance out there, I’m sure. And we need to do something about it.”

Convergent Risks planned, after the event, to discuss the issue with the Content Delivery & Security Association (CDSA) and try to lobby for more input, he said, adding his company has a programme it can offer the industry.

The eighth annual Content Protection Summit Europe was produced by MESA in association with CDSA, and presented by Convergent Risks, with sponsorship by archTIS, NAGRA, Signiant, and BuyDRM.

The sixth annual Content Workflow Management Forum was produced by MESA in association with CDSA, the Hollywood IT Society (HITS), the Smart Content Council, the Content Localisation Council, and presented by Convergent Risks, with sponsorship by archTIS, NAGRA, Signiant, Whip Media, AppTek, BuyDRM, LinQ Media Group, OOONA, ZOO Digital, EIDR and Titles-On.