SPECIAL REPORT: Call Recording & The Right to Be Forgotten
Exploring GDPR with Richard Stevenson, CEO of Red Box Recorders
In a recent interview with Red Box Recorders CEO, Richard Stevenson, UC Today opened up a discussion into what impact the GDPR will have on call recording compliancy in business, how resellers and end users will be affected by it and what steps they must take to ensure they are covered once the regulations begin.
As of 25th May 2018, the GDPR will be implemented to fortify data protection for all individuals in the EU and, as a result, is putting huge pressures on businesses who risk facing huge fines should they fail to comply after that date.
Amongst other things, one of the major concerns for businesses, specifically with regards to call recording, is the new “right to be forgotten” regulation that allows people to request that any of their personal data (that is stored without any compelling reason) be erased from a company’s records.
As you may imagine, this can be extremely problematic for any businesses that have been keeping ongoing records of their conversations with clients and many business owners and call recording providers are concerned with how they will be able to overcome this issue.
In order to try and clear up some of the confusion and help our readers find a solution, we spoke with Red Box Recorders’ CEO, Richard Stevenson, a man who has a wealth of experience in dealing with data regulation practices, and picked his brain on what advice he could give to all of those who are uncertain about GDPR and how it will impact their business.
GDPR and Call Recording for Business Owners
Firstly, we thought it would be good to start off by looking at the GDPR from the perspective of business owners so we asked Stevenson what advice he could give to people in that position.
Interestingly enough, his first response was that technology, “though somewhat important, is not the complete solution.” As it stands, there is no audit or certification that can be given to a call recording solution to label it as GDPR compliant and, therefore, the solution must begin with the people themselves which is then supported by the tools they use.
For Stevenson, it is essential that businesses provide extensive training programmes on their data privacy policies, ensuring that each employee is fully aware of what data they’re permitted to use and whether or not it conflicts with said policies.
He also stresses the importance of including data mapping exercises to ensure that all information is securely stored in a specific location and that all staff members know exactly where those locations so that it can be quickly accessed by authorised individuals whenever necessary.
Another interesting point he raised with regards to the GDPR deadline and the pressures businesses face to be fully compliant by that date was that, for many businesses, this goal is largely unrealistic.
“Like any regulation the GDPR has cost associated with it and being a fully compliant business that makes no money is not a great position to be in.”
Instead, he argues that business owners must take a more pragmatic approach to GDPR and understand to what extent they are going to put forward a solution that delivers for their customers without damaging their business.
GDPR for Call Recording Resellers
After looking at GDPR from business owner’s perspective, Stevenson then moves on to the perspective of a supplier, opening with the statement that, he believes:
“GDPR has completely changed the landscape for infrastructure in general” and suppliers can no longer afford to put infrastructure in silos.”
All data must be easily accessible and if it is locked, or if the supplier is unable to port that data to anybody else that requires it, it could lead to disastrous consequences and regulators will show little mercy for those unable to perform this task.
“One of the worst things you can do with any regulator on any issue is state that you are doing something and they find out that you are not”
Likewise, if a business is responsible for capturing call recordings and they are unable to provide that data on request, or deliver sub-par, low-quality recordings that do not deliver what they claimed to, regulators are likely to clamp down heavily on them for their negligence.
In regard to the right to be forgotten, one thing we have come to know about call recording solutions is that they will typically encrypt all of the information they store and deleting calls from them was usually not possible without a great deal of time an effort – which, as we touched upon earlier, is not always an option for the majority of businesses.
When we raised this point to Stevenson, he reaffirmed this belief and suggested that the process of going through a “search and destroy” style elimination of all existing records (which can be buried beneath years of stored data) of every individual client that requests it is pretty much an impossibility.
Instead, he insists that businesses must ensure they “have a sensible policy on portability and the right to be forgotten that can be presented to regulators on inspection. This would include support from communications recording tools, like Red Box Recorders’, which can assist with identifying individuals and their personal information through annotation at the point of capture and with deleting records (within a clearly defined process). If they do that, they may still face a fine, but this isn’t necessarily the end of the world when compared to what you would have to sacrifice by being fully compliant.”
GDPR & The Issue of Consent
Another factor that is said will really put organisations under the spotlight after GDPR takes place is the issue of consent to store personal data, along with consent to use it for a specific purpose. Though call recording always been a kind of grey are around the issue of consent, Stevenson states:
“That (call recording without very specific consent) changes completely. In any dealing with any customer businesses will have to check that they have consent to record, along with consent to use that recording for its intended purpose.”
From May 2018 onwards, there must be a clear indication of consent from the client for the call to be recorded, along with consent for what that recording is being used for. Likewise, if the client refuses the right for the company to record their calls, they must comply and continue to do so in the future unless otherwise stated.
Red Box Recorders is able to assist with capturing and recording consent through annotation and with call suppression to stop recording if consent is not provided.
How Can Resellers Get Involved?
When asked what further advice he could offer to resellers to help them get involved with the GDPR process, he suggested that they combine their knowledge of the subject and the combined technologies that can support compliance to guide their customers through a process which highlights the areas they need to consider and address in preparation. As a trusted partner, resellers can be informing them of all the things to watch out for, including data storage and what options are available to them.
He also adds that putting the customer’s mind at rest, helping them plan pragmatically and ensuring they don’t get caught up the dreaded hype surrounding GDPR, which is, according to Stevenson, an extension of existing data protection laws, is the key to success.
Where do Red Box go from here?
When asked what changes Red Box Call Recording would be making to accommodate for the GDPR, Stevenson informed us that, although the company is already very well equipped in to deal with these changes in terms of connectivity and resilience, they will be looking to build on annotation and encryption.
He also mentioned how the company intends to build on its existing API suite, looking forward towards further integration through API connectivity to key CRM vendors so that businesses are able to link individuals call recordings to their core CRM record.
UC Today Opinion
To summarise, the real key message we should take away from this interview is that, irrespective of how much pressure is put on businesses to be completely compliant by mid-2018, the likelihood of that happening is highly unlikely, therefore worrying about it is wasted energy.
Instead, businesses should be focussing more on building a pragmatic, structured plan when approaching GDPR compliance, evaluating the risks they face and determining where to invest carefully rather than going in blindly.
Moreover, they say prevention is the best cure, therefore the importance of organising training sessions to ensure that every employee knows exactly what they’re dealing with and are aware of what mistakes they can make is another key point to consider.