GDPR, Data and Call Recording

We’re all pretty familiar with GDPR by now, which came into effect in May 2018 and replaced the Data Protection Act. The legislation was passed through the European Parliament, but the regulations were actually largely created in the UK.

GDPR compliance has been a challenge for many businesses looking at how they store and manage personal data, but for some, it is more complicated. Data storage is something that has had to be protected from data breaches along with the protections that are required. But for those businesses that record and store phone calls, there is an extra layer of data protection law to consider.

If you record telephone calls, do you meet general data protection regulations? 

Consider the data that you collect from callers that you subsequently store. It’s likely that you’ll capture names, addresses, bank & financial details, health & family info, religious beliefs, and so on. All of this data is personal data that could identify an individual, so must be protected properly. 

 

There are three key considerations to make under GDPR:

1. An expectation to protect privacy
2. To notify all parties that they are being recorded and gain their consent.
3. To adequately protect stored data from theft and misuse.

GDPR is designed to strengthen the rights of the individual over the business. 

Businesses and organisations must justify the legality of recording calls by meeting any of six conditions

All parties in the call have given consent to be recorded.

1. Is it necessary to fulfill a contract?
2. Recording is necessary to fulfill a legal requirement.
3. It’s necessary to protect the interests of one or more of the call participants.
4. It is in the public interest, or necessary for the exercise of official authority.
5. Recording is in the legitimate interests of the recorder unless those interests are overridden by the interests of the participants in the call.

Remember that the rights of the individual are given prominence under UK GDPR regulations, so “assumed consent” is no longer acceptable. GDPR requires that individuals are made aware of what happens to their recorded data, and have the right to restrict the collection of data about them. 

GDPR also applies to your staff, not just people who they speak to during a call. Recording private calls could also breach GDPR regulations, as any information collected may not be used for the purpose for which it is intended. Does recording private calls meet any of the six conditions for meeting GDPR compliance?

Demonstrating GDPR Compliance

GDPR puts an obligation on businesses and organisations to formally demonstrate compliance, rather like a health and safety policy. All businesses should have a formal GDPR policy documebnt in place to demonstrate how they collect, store and manage data, and under which of the six conditions it is collected.

Broadly speaking, a GDPR policy should contain the following information:

• Which of the six processing conditions do they believe apply and why
• Details of the processes used to obtain consent from all parties in a call
• Details of the methods used to stop or prevent calls from being recorded
• The measures in place to protect the recordings from misuse.

GDPR Enforcement and Fines

Fines of up to €20 million or 4% of global turnover can be levied for major breaches. That could include non-disclosure of recording, or failure to adequately protect data for example.

To ensure that you are compliant with GDPR regulations carry out a thorough audit of your call recording methods, notifications, and storage. Do your processes meet GDPR requirements, including meeting one of the six conditions for collecting and processing data in the first place?

Keep in mind the security aspects of your data storage too. Are your storage methods secure from cyber attacks and theft? 

There’s no silver bullet, but your cybersecurity policy should run alongside your GDPR policy. Who has access to personal data? Do they need it? 

Is access secured with 2fa technology and secure systems? The days of spreadsheets are behind us so think carefully about how your business is protected.

With all that in mind, Foxhall Solutions is here to help you develop and install your telephone systems, and ensure that they are compliant and secure from attack.

The Information Commissioner’s Office also has resources that you can refer to here 

Contact Foxhall Solutions – 01787 228402 – to talk about call recording on your phone system.