In the UK, call recording were governed by the Data Protection Act (DPA) 1998, this Act has been replaced by General Data Protection Regulation (GDPR) which basically tightens up the existing DPA requirements.
What is GDPR?
GDPR is a fairly new rule that governs the collection of personal data. The GDPR regulations have replaced existing regulations that dictate how companies are allowed to collect, store and use the personal information of their clients. The new regulations are designed to give control of personal information back to everyday people, prioritising them over the interests of businesses.
How will this affect my business?
The new regulations essentially force businesses to establish a chain of command with regards to the data management policy. Specific roles within the business should be tasked with ownership of data management policies and training of staff on the need for security and the penalties for not complying.
How will GDPR affect call recording?
The new GDPR regulations will greatly impact the call recording process. Namely in the sense that consent can no longer be assumed so the standard “calls are recorded for training and security purposes” warning will no longer suffice. Callers must opt-in to be recorded and must also be able to opt-out, once the caller has opted out the agent receiving the call must be able to stop the recording and ensure it isn’t stored.
Things get more complicated when your business is required by law to record calls for regulatory purposes because in this case you are required by law to record calls. However, the recordings that contain personal data should hypothetically need to be consented to. In these cases, any regulatory requirements have authority over the rights of the individual so the call should be recorded. The difficulty here is that only relevant calls should be recorded meaning that any calls that don’t meet regulatory requirements for call recording cannot be stored in the individual has not opted in to having their data stored.
What are the GDPR provisions?
Under GDPR, processing data needs to comply with six principles and comply with at least one of the processing conditions. These conditions are:
- Consent must be given to process data
- Data must only be collected and used for a specific purpose and only that purpose
- Data needs to be accurate and kept secure
- When the specific purpose of the data has expired the data must be deleted
How to ensure your call recordings are GDPR compliant
The best way to ensure compliance is to develop a data protection policy for call recordings which adheres to industry regulations meets the GDPR requirements and doesn’t spook the caller before getting their enquiry answered. It is fundamental to be completely clear and honest with your clientele and trust that they will respect your openness by providing consent. If they choose not to provide consent make sure the agent receiving the call knows exactly what can and cannot be discussed on the call.
Do I need to comply?
In a nutshell, yes. Any company that operates in the EU needs to comply with the new GDPR regulations. Even non-EU established organizations will be subject to GDPR. If your business offers goods or services to citizens in the EU, then it’s subject to GDPR. Violation of the terms of GDPR can result in a penalty of 4% of your company’s annual turnover or a fine of 20 million euros (whichever is highest).