Call Recording & GDPR: Staying on the Right Side of the New Regulations
"Your call is being recorded for training purposes..."
At this point, most businesses are sick and tired of hearing about GDPR. For years, the regulations surrounding call recording have been complex enough – seemingly designed to exacerbate those who simply want to make the most of their data.
Governed by a web of data protection and privacy laws, the rules of what you can and cannot record, and what you can do with the recordings, depend on various factors. Everything from what industry you’re operating in, to the kind of transactions you’re dealing with in calls, and the information you record has an impact.
On the 25th of May, the rules changed all over again, and organisations throughout the UK, Europe, and the world have been scrambling to keep up.
Out with The Old and In with the New
Europe’s latest solution for data protection covers call recording, compliance, and data management. It replaces the previous data protection act which came into legislation in 1998, so you could argue that we’ve been due an update for a while. The previous rules were taken from the Data Protection act 1998. They combined with the Regulation of Investigatory Powers Act in 2000, and the Human Rights Act in 1998 to strengthen the rights that people had regarding how their data was stored and used.
This is because of the potential for recorded calls to capture:
- Personally identifiable information, such as names and addresses
- Sensitive personal information, such as banking or financial details, health information, family details, religious beliefs, sexuality etc.
The good news is that the aims of GDPR aren’t completely removed from that of the previous data protection campaign. They’re all concerned with data security, the protection of privacy, and the way we process data. Nothing new there.
However, there are a few major changes. For instance, companies wanting to record calls will need to give a good reason for doing so. The GDPR suggest that your recording purpose should fulfil at least one of the following six conditions:
- Recording is crucial to comply with a contract
- Recording complies with legal requirements
- The people in the call have offered their consent to be recorded
- Recording is essential for the protection of one or more participants
- Recording is necessary for public interest purposes
- Recording is legitimately in the interest of the recorder (unless those interests are less important than the interests of the participant)
The Changing Nature of Consent
Essentially, GDPR is all about “consent”. Tacit consent isn’t enough to keep you out of the spotlight anymore. The new legislation wants to implement a “Principle of Accountability” which pushes businesses to implement detailed measures for acquiring consent and keeping information secure. Call recording is a form of data processing. In the DPA – the previous regulations, companies needed to inform individuals of how their data was processed. That’s still something that you’ll need to think about today. However, the balance between the needs of the customer, and the preferences of the business is changing.
Essentially, the GDPR rules come from a lengthy period of consultation between member states, and the UK. It’s designed to bring all the dispersed rules and regulations together so that everyone is on the same page. The main difference between GDPR and the previous rules is that it makes the rights of an individual more important than the rights of the organisation.
The principle of accountability makes the data protection conversation far more complex – similar to health and safety compliance, where the law requires businesses to maintain, create, and update the protocols they use to ensure customers, the public, and employees remain safe.
From now on, call recording systems will need to have the ability to access explicit consent from participants before recording takes place. Integrating call recording systems with other analytics will help to identify issues and give businesses a deeper insight into their relationships with customers. Companies like Tollring have already begun to develop solutions like the iCall Suite to improve analytics for companies and improve GDPR compliance. Red Box Recorders has a similar approach to GDPR management.
This Call Is Being Recorded…
Ultimately, if you want to stay on the good side of GDPR, the most important thing to remember is that you need to notify customers when you’re recording a call. You might not need to be as granular with this as you would be on a website. For instance, you don’t need to tell people that you’re using their name and address to look up their account. However, you do need to make sure that your customer knows what they’re agreeing to, and what rights they have when it comes to their data.
Part of preparing for GDPR will be installing the right tools and software. The other part will be training your team to prepare for the change. Forward-facing customer service agents, including the ones that are manning your live chat system, need to consider the privacy concerns around GDPR. A policy for employees to reference might be a good way forward.
Carrying out a thorough audit of call recording practices, from the notifications given to how recordings are stored, is the first step to take. This should be done in the context of a wider evaluation of data protection, taking into account factors like how data breaches are identified, impact assessments and training and awareness within the business.
Although no business welcomes extra regulatory bureaucracy, the penalties for not following the new regulations are stringent. Fines of up to four percent of turnover will be levied for major breaches, which might include non-disclosure of recording or failure to adequately protect data, with penalties of two percent for less serious misdemeanors.
Editor’s note: This article was first published 21st June 2017 and has been updated following the GDPR introduction 25th May 2018.