I’m reviewing our Architect flows for GDPR compliance, specifically focusing on how we handle PII (Personally Identifiable Information) within our secure IVR payments flow.
We collect a customer ID and then pass it to an external CRM via a Data Action to retrieve account details. My concern is that these variables (like Flow.CustomerID) might persist in the conversation memory or be logged in the flow’s execution history.
I know about ‘Secure Data Actions’, but what about the variables themselves? Do I need to manually set them to an empty string "" at the end of the flow, or does Genesys Cloud handle the ‘Scoping’ and ‘Clearing’ of flow variables automatically once the interaction is disconnected?
Variables persist for the duration of the conversation ‘Object’. If a call is transferred from the IVR to an agent, that Flow.CustomerID will still be available in the ‘Conversation Attributes’ and can be viewed in the ‘Participant Data’ by the agent or anyone with ‘Conversation:View’ permissions.
You should definitely clear sensitive variables as soon as they are no longer needed. Use the ‘Update Data’ action to set them to NOT_SET or an empty string before the ‘Transfer to ACD’ or ‘Disconnect’ blocks.
I’ve done several PS engagements for banks on this. Clearing them at the end is a ‘Better than nothing’ approach, but the ‘Best Practice’ is to use the ‘Secure Call Flow’ type for any PII collection.
In a Secure Call Flow, variables are handled differently—they are encrypted in transit and the logging is much more restricted. Also, remember that even if you clear a variable in the flow, if that variable was used as a ‘Category’ or ‘Input’ in a Data Action, it might still be visible in the Data Action’s execution history unless you’ve marked those fields as ‘Sensitive’ in the Data Action configuration.
From a SOC2/PCI-DSS audit perspective, clearing the variables isn’t enough to guarantee they aren’t ‘Logged’. You must verify your ‘Flow Log’ level. If it’s set to ‘Verbose’, Architect will log the value of every variable assignment. In production, always set your log level to ‘Error’ or ‘None’ for secure flows.
And yes, as Emi mentioned, the ‘Participant Data’ is the biggest leak. If you use ‘Set Participant Data’, that info stays with the conversation forever (until the retention period expires). Never set PII as participant data unless it’s absolutely necessary for routing or screen-pop, and if you do, make sure to clear it before the call ends.