The rules and regulations surrounding the recording of telephone calls is one of those areas of compliance seemingly designed to confuse, frustrate and exasperate business owners.
Governed by an interlocking web of data protection and privacy laws, what you can and cannot record, and what you can do with the recordings, depends on various factors such as what industry you are operating in, what kind of transactions take place on the calls, and what sort of information is recorded. Not only is it difficult to fathom, but the penalties for non-compliance can be severe.
For better or worse, things are about to change again. The EU-wide General Data Protection Regulations (GDPR) will come into force in May 2018, replacing all national data protection laws in member states. As the Brexit process will not have concluded by then, UK businesses will be subject to the new rules, and will continue to be so even after Brexit if they have customers in the EU.
The headline effects of the GDPR will be to further strengthen the rights of individuals when it comes to organisations collecting, recording and using their personal data, placing greater onus on companies to demonstrate compliance, and increasing the penalties for not doing so.
All of this will have a direct impact on how businesses manage call recording. In this article, we will ask exactly what the changes will be, what businesses need to know, and what they can do to get ready.
Call Recording and Data Protection: The Law as it Stands
To start with, let’s look at why call recording falls under data protection regulations in the first place.
As things stand, call recording in the UK falls under legislation outlined in the Data Protection 1998 (DPA). This is because of the potential for recorded calls to capture:
- Personally identifiable information, such as names and addresses
- Sensitive personal information, such as banking or financial details, health information, family details, religious beliefs, sexuality etc.
Call recording is classified as a form of data processing. The DPA states that individuals must be informed how and why their data is being processed, which translates into being told what the recording is for. Businesses are expected to stick to that stated purpose. Other legislation, including the Regulation of Investigatory Powers Act 2000 (RIPA) and the Human Rights Act 1998, strengthen the requirement for notification and consent, although in practice tacit consent is assumed as long as people are informed about recording and given the choice to opt out.
The DPA also sets out rules for the correct handling of personal data, which requires any recordings of telephone calls to be stored securely with appropriate steps taken to avoid breaches.
Changes Under the GDPR
The GDPR has been drawn up following a lengthy period of consultation between EU member states, and is broadly aimed at bringing existing regulations in all 27 countries together. So the main principles behind the GDPR are quite similar to those already in place within UK legislation. With regards to call recording, the key principles are the expectation to protect privacy, notification and consent, and the requirement to adequately protect stored data from misuse.
The main difference with the GDPR will be that it strengthens the rights of the individual over the rights of an organisation. The DPA focuses on balancing the interests of individuals and businesses – as long as steps to protect privacy are followed, collecting and recording personal data is generally assumed to be justified.
Not so under the GDPR. Businesses wishing to record calls will be required to actively justify legality, by demonstrating the purpose fulfils any of six conditions:
- The people involved in the call have given consent to be recorded
- Recording is necessary for the fulfilment of a contract
- Recording is necessary for fulfilling a legal requirement
- Recording is necessary to protect the interests of one or more participants
- Recording is in the public interest, or necessary for the exercise of official authority
- Recording is in the legitimate interests of the recorder, unless those interests are overridden by the interests of the participants in the call
Some of these conditions will apply specifically to certain uses of call recording in certain sectors. Number three, for example, could be used by firms in the financial services sector, which are required by the FCA to record all calls leading up to transactions. Number five will apply to the emergency and security services, who use call recording for investigatory purposes and in the interests of public protection.
But for general call recording, for example to monitor service levels or for staff training in a contact centre, the options left to businesses will be numbers one or six. And as the ‘legitimate interests’ of a business to evaluate customer service are not likely to outweigh the interests of personal privacy under the new regulations, realistically that only leaves gaining consent.
Unlike current UK laws, assumed consent will not be satisfactory. With the GDPR strengthening the rights of individuals to know what is happening with their personal information, to restrict and object to what happens to it, explicit consent to record calls will be required.
Under the GDPR, there will be a new ‘Principle of Accountability’ which will put the onus on organisations to demonstrate compliance formally. This will make data protection much more like health and safety compliance, where businesses are required by law to proactively draw up, maintain and update protocols and policies outlining how they work to ensure the wellbeing of staff, customers and the public at large.
In other words, data protection policies will become a statutory compliance document rather than a recommended option. Businesses wishing to conduct call recording will have to draw up a specific call recording policy, outlining which of the processing conditions they believe apply and why, detailing how they will go about things such as obtaining consent from participants, and measures in place to protect recordings from misuse.
Penalties for Non-Compliance
Although no business welcomes extra regulatory bureaucracy, the penalties for not following the new regulations are stringent. Fines of up to four per cent of turnover will be levied for major breaches, which might include non-disclosure of recording or failure to adequately protect data, with penalties of two per cent for less serious misdemeanours.
Getting Ready for GDPR
Even though the UK is set to leave the EU in March 2019, that still gives a minimum of ten months during which the GDPR will apply, and who knows how long after that – the UK government could easily choose to bring the GDPR into UK law, rather than revert back to DPA-style rules.
The general advice is that practices which have slipped under the radar under current data and privacy laws will become much more risky under the GDPR. For example, many businesses run call recording universally, and also let staff make private calls on business systems. Any private data recorded in this way is in breach of both the DPA and the GDPR, because the information recorded is not being used for its specified purpose, and cannot be justified by one of the processing conditions. Under current DPA rules, there is little or no sanction for this, but under the GDPR, it could land businesses in hot water.
Carrying out a thorough audit of call recording practices, from the notifications given to how recordings are stored, is the first step to take. This should be done in the context of a wider evaluation of data protection, taking into account factors like how data breaches are identified, impact assessments and training and awareness within the business. From there, policies and protocols can begin to be drawn up, giving you plenty of time to make sure you hit the ground running come May 2018.
Recent GDPR Related Posts:
- Union Street Confirms GDPR Compliance
- Top 5 Avaya Posts from UC Today
- Top 5 NICE Articles from UC Today
- VIDEO – GDPR & Telephony – Consenting and Forgetting with Natterbox
- HubStor & Red Box Recorders Bring Voice Archiving Compliance to MS Azure
- Get GDPR Compliance with CLX Communications
- Our Top 5 Recommendations on Who Not to Miss at this Year’s UC EXPO
- Your Simple, Straightforward UC Today Guide to GDPR
- Out Loud: March Madness in the UC Market
- Semafone Uncovers Major Insider Threats in the Contact Centre