The effects of the GDPR on call recording will be to further strengthen the rights of individuals when it comes to businesses collecting, recording and using their personal data, placing greater onus the business to demonstrate compliance & increasing the penalties for not doing so.
All of this will have a direct impact on how you manage call recording. We will ask try to explain what the changes will be, what you need to know, and what you can do to get ready.
The Law As it Was
Previously, call recording was classified as a form of data processing. The Data Protection Act states that individuals must be informed and aware that they are being recorded and why they are being recorded.
This is because recorded calls have the ability to capture:
- Personally identifiable information such as, names and addresses
- Sensitive information such as, banking, financial, health, family, religious etc. detailsThe Data Protection Act also, sets outs rules for the correct handling of data, which requires any calls recorded to be stored securely with steps to be taken to avoid breaches.
So the main principles behind the GDPR are quite similar to those that were in place within UK legislation. With regards to call recording, the key principles are the expectation to protect privacy, notification and consent, and the requirement to adequately protect stored data from misuse.
The main difference with the GDPR will be that it strengthens the rights of the individual over the rights of an organisation. The DPA focuses on balancing the interests of individuals and businesses – as long as steps to protect privacy are followed, collecting and recording personal data is generally assumed to be justified.
Not so under the GDPR. Businesses wishing to record calls will be required to actively justify legality, by demonstrating the purpose fulfils any of six conditions:
- The people involved in the call have given consent to be recorded.
- A recording of a call is necessary for the fulfilment of a contract.
- Recording is necessary for fulfilling a legal requirement.
- The call recording is necessary to protect the interests of one or more participants
- The call recording is in the public interest or necessary for the exercise of official authority.
- Recording is in the legitimate interests of the recorder, unless those interests are overridden by the interests of the participant in the call.
Some of these conditions will apply specifically to certain uses of call recording in certain sectors. Number three, for example, could be used by firms in the financial services sector, which are required by the FCA to record all calls leading up to transactions. Number five will apply to the emergency and security services, who use call recording for investigatory purposes and in the interests of public protection.
But for general call recording, for example to monitor service levels or for staff training in a contact centre, the options left to businesses will be numbers one or six. And as the ‘legitimate interests’ of a business to evaluate customer service are not likely to outweigh the interests of personal privacy under the new regulations, so that only leaves gaining consent.
So unlike the previous law, assumed consent will not be satisfactory. With the GDPR strengthened rights of individuals to know what is happening with their personal information and to restrict and object to what happens to it, explicit consent to record calls will be required.
Along with the new GDPR comes a new ‘Principle of Accountability’ which puts a requirement on organisations to demonstrate their compliance. Data protection policies will soon become a statutory compliance document, rather than a recommended option. Therefore, businesses wishing to record calls will be required by law to draw up a specific call recording policy.
So what to do, carry out a thorough audit of call recording practices, from the notifications given to how recordings are stored, is the first step to take. This should be done in the context of a wider evaluation of data protection, taking into account factors like how data breaches are identified, impact assessments and training and awareness within the business. From there, policies and protocols can begin to be drawn up, giving you plenty of time to make sure you hit the ground running come May 2018.
ICO Views on file retention and encryption
Data controllers must consider the security of lawful recordings and whether this can be achieved through the use of full-disk or file encryption products. However, some types of audio recording devices such as a dictation machines may not routinely offer encryption. The data controller must consider whether an alternative device is more appropriate or consider additional technical and organisational safeguards such as deleting the data as soon as practicable and locking the device away when not in use.
In the event that an unencrypted version of the recording should be retained (eg for playback in a Court of Law) then a range of other compensatory measures must be considered. These can include storage within a secure facility, limited and authorised access and an audit trail of ownership and usage.
The data controller must also consider the security of recordings once transferred from the device for long-term storage and be aware of other requirements which may prohibit audio recording of certain types of data.