In May 2018 (and 10 months before Brexit!), the EU-wide ‘General Data Protection Regulations’ (GDPR) will come into effect. While most of us are thinking about protecting data storage on computer servers – some businesses will also have to consider their telephone systems. If you are recording telephone calls, then GDPR legislation will be relevant to your Business!
Currently, call recording in the UK falls under legislation outlined in the ‘Data Protection Act 1998’ (DPA). That’s due to the likelihood of call recording to capture personal information such as names, addresses, bank & financial details, health & family info, religious beliefs etc. DPA expects businesses to inform all parties in a call that they are being recorded, and also to tell them what the recording will be used for. Other legislation (RIPA 2000 and HRA 1998), strengthens the need for notification and consent – but in practice, consent is assumed, as long as callers are informed and given the choice to opt-out. DPA also prescribes rules for the storage and handling of the recorded data.
Under GDPR, the key principles are an expectation to protect privacy, a need to notify all parties that they are being recorded & to gain their consent, and a requirement to adequately protect stored data from misuse.
The main difference with the GDPR over DPA, will be that it strengthens the rights of the individual over the rights of the business. Organisations wanting to record calls will be required to ‘actively justify legality’ by demonstrating that the recordings meet any of the following six “processing conditions”:
- All parties in the call have given consent to be recorded.
- Recording is necessary to fulfil a contract.
- Recording is necessary to fulfil a legal requirement.
- Recording is necessary to protect the interests of one or more of the call participants.
- Recording is in the public interest, or necessary for the exercise of official authority.
- Recording is in the legitimate interests of the recorder, unless those interests are overridden by the interests of the participants in the call.
Some of these conditions will apply to specific industry sectors … For example, number 3 will apply to businesses in the Financial Services sector, who are required by the FCA to record all calls leading up to transactions. Number 5 would apply to Emergency and Security services in the interests of public protection and accountability.
For general Contact Centre recording – for monitoring service levels, or staff training, the options will be 1 or 6 – and as the ‘legitimate interests’ of a business to evaluate customer service can’t usually be put above the interests of personal privacy under GDPA – then that means that for most call recording scenarios, ‘consent’ must be given by all parties in the call for recording to take place.
Unlike current DPA legislation, ‘assumed consent’ will not be enough. With the GDPR giving prominence to the rights of individuals to restrict collection of, and to know what happens to their recorded data, ‘explicit consent’ to record calls will be required. Note too, that this applies to your own staff, not just those who call or are called by them. It is also significant that recording of any ‘private’ calls made by your staff on your business phone system, can be in breach of both DPA and GDPR due to the information recorded not being used for its specified purpose and/or it not being justified by one of the ‘processing conditions’.
The GDPR will put an obligation on organisations to formally demonstrate compliance (like a ‘Health & Safety’ policy). Data Protection policies will become a statutory compliance document rather than a recommended option. Businesses wanting to record calls will have to create a call recording policy, outlining (broadly & not restricted to);
- which of the six processing conditions they believe apply and why,
- detailing the process[es] to obtain consent from all parties in a call,
- detail of method[s] used to stop/prevent calls being recorded
- and, what measures are in place to protect the recordings from misuse.
Unfortunately, this bureaucracy can’t be ignored. Fines of up to 4% of turnover can be levied for major breaches (e.g. non-disclosure of recording, or failure to adequately protect data), and penalties of 2% for less serious offences.
Carrying out a thorough audit of your call recording methods, notifications and storage is the first step to take. Do this keeping in mind the wider implications of Data Protection and impact of breeches in security – and use the time until May 2018 to draw up your policies and protocols to ensure compliance. That way you’ll be able to assure your staff and customers that you are keeping their interests at heart, and just as important – you’ll avoid those fines!
Contact Foxhall Solutions – 01787 228402 – to talk about call recording on your phone system …