Recording Calls – Are You Compliant?
We talk call recording compliance with Consentec
Call recording technology has been around for a long time. Once the preserve of financial market participants, it is a common misconception that its use is confined to financial industries.
Over the last decade usage has exploded with organisations spanning a broad range of industries seeking to harness the power of voice and extract valuable data from their customer interactions. In addition, recording Increasingly reaches much further within organisations to areas that don’t necessarily interact with customers directly but where sensitive roles are performed such as HR, Legal, Risk and Executives.
Historically the challenges for organisations have been the many jurisdictions with a legal requirement to notify the other party(s) of recording taking place, often referred to as “all-party consent” jurisdictions.
GDPR and CCPA
More recently we have seen complex consumer protection and privacy legislation such as GDPR and the forthcoming CCPA, that place much greater control over the recording and processing of personal data.
Under GDPR Article 6, in most cases consent is required for all data processing in lieu of a legal contract between the parties or a legal obligation to record the call.
Consent is defined under Article 4 as, “Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
Within the CCPA there is an obligation to inform consumers at the point of personal data collection of the types of information to be collected and the purposes of its use. Additionally, consumers must be informed about the right to deletion and the right to opt-out of the sale of their personal information.
When recording calls then you need to demonstrate compliance with these laws, having the right tools can help you stay within the law.
In an interview with UC Today, Mitch Dawson, founder of Consentec, said, “against a backdrop of increasing consumer protection and privacy legislation, the requirement to record creates complex compliance challenges for organisations trying to stay within the law”.
“The legislation varies so you now need a tailored approach, generic announcements are no longer enough to demonstrate compliance”
“It’s a considerable challenge, organisations have recorded endpoints participating in calls all around the world and they have no visibility of the jurisdictions of the parties that they are interacting with, and importantly the laws that apply in those jurisdictions in real time.
For example, they may be interacting with a party within the EU for the first time and not necessarily know that they are doing it, if they are recording that party’s data then they could be in breach of GDPR.
Similarly when the CCPA hits next year, they must provide Californian residents with the detailed privacy information that they are entitled to under the law. The results of non compliance are not just considerable in financial terms, but increasingly consumers view trust in organisations as a key differentiator too.” warned Dawson.
Must every call be recorded?
But what happens with organisations who have a legal requirement to record? Dawson said that, “it is important to remember that the legal requirement is on a per call basis, the requirement doesn’t extend to recording all calls on the given line.”
“Under GDPR a legal requirement is perfectly acceptable, but care should be taken as laws in other jurisdictions typically make no allowances for the recording parties reasons or motives when enforcing the rights of citizens,” he added.
Dawson said that the use in some organisations of IVRs doesn’t adequately ensure compliance,
“This comes up quite often and there are a number or reasons why this can be problematic”
“IVRs are typically used on inbound calls only so you have a gap with outbound, and whilst the IVR could play an announcement, this wouldn’t be enough to satisfy GDPR for example, because it actually requires an affirmative action for consent,” he said.
Dawson said that Consentec can help solve these challenges. It has developed “Comply”, a fully automated consent for call recording platform that ensures recorded calls are automatically complaint with all jurisdictions globally.
The platform inspects calls to and from the customers environment and makes detailed decisions on the locations of the parties involved, where it finds a call flow involving a jurisdiction requiring recording compliance, the platform will execute fully configurable rulesets based on the customers requirements for compliance in that particular region.
Speaking about the platform Dawson said “We give customers the tools to be compliant whilst maintaining complete control of the user experience. A customer could introduce an announcement followed by a periodic beep to one or both parties for calls involving all party consent jurisdictions, and automatically prompt a party for their consent within jurisdictions covered by GDPR”.
“Rulesets can provide connectivity to external APIs, so we can post the result of a consent challenge to a voice recording platform for example, or give an agent a screen pop detailing the region of the other party to enable them to select the appropriate compliance process for the call. CCAAS vendors can enhance their product set with a “Consent as a service” offering delivered via their existing agent interface.”