Regulations regarding consent for call recording and the storage of personal data are in force across the globe
Image above: Regulations detailed for countries in orange, in article below
Regulations regarding consent for call recording and the storage of personal data are in force across the globe. However, regulations vary and require international organisations to be aware of national and regional differences. Nevertheless, regulations are being introduced in various jurisdictions, Consentec’s Mitch Dawson, explained.
CCPA regulation covers the state of California and requires that residents of California must be given information relating to how their data will be processed, kept, sold and deleted at the point of collection.
The PIPEDA regulations mandate that an organisation can only record a call for purposes that a reasonable person would consider appropriate under the circumstances. The organisation must inform the customer that they are recording a call, clearly state the purpose of the recording and ask for their consent.
“It’s important to get the customer’s consent in several ways to ensure that their consent is meaningful,” said Dawson. “If the caller objects to the recording, they can ask that the company not record the call or use an alternative approach such as visiting a retail outlet, writing a letter or completing the transaction online.”
The PDPO regulation states that where personal data is collected from the data subject, all practicable steps shall be taken to ensure that the data subject is informed of the purposes for which the data are to be used and the classes of persons to whom the data may be transferred. The data subject must also be informed of their rights to request access to the data and the correction of incorrect data.
The GDPR, which covers the EU27 countries, requires that the data subject has given consent to the processing of their personal data for one or more specific purposes. Processing must be necessary for the performance of contract to which the data subject is party, for compliance to a legal obligation on the data controller, to protect the vital interests of the data subject, to perform a task carried out in the public interest or to pursue the legitimate interests of the controller except where these are overridden by the interests or fundamental rights and freedoms of the data subject.
GDPR defines consent of the data subject as any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.
The PDP bill, which is now in force applies to both government and private entities, even those not present within the territory but which conduct business in India, offer goods or services in the country or conduct activities such as profiling of data subjects in India.
“The bill requires that organisations limit data collection to the minimum required for the purpose of processing and mandates that companies must obtain consent that is freely given, specific, clear and easy to withdraw,” added Dawson. “The law sets out the right to confirmation and access and the right to correction. The organisation has to store at least one copy of the personal data on a server at a data centre located in India and forbids organisations from transferring or storing sensitive or critical personal data overseas.”
The LGPD (Lei Geral de Proteção de Dados) creates nine rights for data subjects. These empower individuals with the right to: confirm existence of the processing of their data; access their data; correct their data; anonymise, block or delete unnecessary or excessive data; data portability; data deletion; be informed of the entities with which the controller has shared their data; be informed about the possibility of denying consent and the consequences and, finally; to revoke consent.
The PBI bill defines consent as free, specific, unequivocal and informed and sets out that consent should be manifested in a clear form and in an oral or written statement. The law establishes a new basis of legal processing of personal data, apart from the sole consent of the data subject. It’s not mandatory to obtain the data subject’s consent if: data has been gathered from a source of public access, processing of personal data includes data related to economic, financial, banking or commercial obligations, or processing of personal data is necessary for compliance with a legal obligation, or for the execution of an agreement which the data subject is a party to.
When you contrast this against a backdrop of organisations who need to record calls, it is easy to see how compliance is now a huge challenge.
“It is something that clients have been saying to us for a long time,” said Dawson. “They are concerned about their ability to meet their compliance obligations when recording calls. Let’s say a sales team has just started a new outbound campaign, how will they know if they record a call with someone subject to such legislation?
“Some organisations rely on website privacy notices to inform about the uses of data, but they could only ever assume that someone had taken the time to review it,” he added.
“It is important to remember that we are talking about the need to be compliant at the point of data collection, not after the event”