We’ve all been there, waiting at the end of the phone for someone to pick up while an automated voice lets us know that ‘your call may be recorded for training and monitoring purposes’. This alert was something that many businesses did to ensure callers where happy to have their conversation recorded and kept on file. But since the new General Data Protection Regulations (GDPR) came into effect in May 2018, this is no longer a courtesy and gaining consent for voice recordings has now become a legal requirement for most.
Despite this, call recording can be one of the most confusing areas of GDPR, with many businesses not even taking this into account and therefore not remaining wholly GDPR compliant. But what are the new rules when it comes to recording phone conversations and what do you need to do to ensure your business is following the guidelines and sticking to the new laws?
In this guide, we’re going to tell you everything you need to know about call recording and GDPR, so you can reduce the risk of your business facing backlash and a hefty fine.
Why you must now consider GDPR when call recording
GDPR was put in place to strengthen data protection laws and to give EU citizens more control over their personal data. This means that businesses across the world (whether based in the EU or not) must adhere to these laws if they intend on collecting, storing, processing or using the data of any EU citizen.
In its most basic form, we think of this personal data as being names, emails, addresses, bank details etc. but GDPR covers a very broad scope and personal data classes as anything that can identify an individual. Often phone calls require the caller to share their personal information, even if they only ask for the minimum such as name or customer number.
As such, these voice recordings fall under the category of ‘data processing’. This is why businesses must now consider GDPR when recording phone calls.
Justifying why you’re recording the phone calls
Before we begin looking at how you can ensure your call recording is GDPR compliant, let’s first look at the legal justification for recording these calls in the first place. A key part of GDPR and one of the first things you might be asked in the event of a data breach is ‘what was your reason or purpose for collecting, storing and using these recordings?’.
In these instances, businesses must be able to justify why they were collecting data in this way and prove they have a lawful reason for doing so. For training purposes is no longer enough! Below are some of the key reasons you might record calls lawfully, though for the most part you must still make sure consent is given (more on this in the next section):
- Recording is necessary in order to fulfil a contract
- Recording is necessary in order to fulfil a legal obligation on either side
- Recording is in the public interest
- Recording is necessary for the protection of one or more of the participants
- Recording is helpful to the interests of the recorder, unless the interests of the caller outweigh their needs e.g it’s a vulnerable or underage person on the phone
How to ensure your call recording is GDPR compliant
With this in mind, there are several steps you must take to ensure that your business’ call recording is GDPR compliant. You will have the option to implement many of these steps within the business yourself, but you may also wish to outsource some (or all) of your GDPR efforts to an expert in the field if you want extra security and reassurance.
- Always get consent
When it comes to GDPR, consent is the aim of the game. Simply stating ‘your call will be recorded’ is no longer enough. In order to be 100% compliant, you must explicitly ask for and gain consent from the caller. You can do this using oral acceptance over the phone or you can write it in to your customer agreement as long as the customer is made aware of this and agrees to the terms.
If you intend to share data with any third-parties, as with any personal data you must ask for explicit consent to share this information. The individual has the right to opt out of this at any time.
- Don’t store any Sensitive Authentication Data
It’s best to only record and store information you really need and avoid any sensitive information such as authentication data. This includes information such as card details, PINs, passwords or card security codes. The easiest way to stop this is to find a technological solution that keeps this data off the recording. There are several service providers out there.
What’s more, some businesses choose to use masking solutions that allow callers to input data using their keypad on their phone. This keeps all their sensitive and identifiable information safe and secure. Again, there are several providers out there that offer this functionality.
- Be prepared for access and deletion requests
You must have the ability to produce these recordings upon request and send them to the individual. You must also be able to access then delete these files upon the request of the data subject. This is part of the fundamental rights of EU citizens under GDPR.
- Offer GDPR-specific call training to all staff
Ensuring your staff are well educated on GDPR, related policies and how to handle personal data when it comes to call recording, can reduce the risk of a security breach or data issue in the first place. It also means your company will be better equipped to deal with any security issues should they arise.
- Ensure you have the best security measures in place
As with any sort of data collection, it is the responsibility of the business to collect, store and process data securely. This means having the best possible security systems in place to help protect this information and reduce the risk of a cyberattack or data breach.
- Don’t keep data longer than you need to
Finally, don’t retain data any longer than you need to. Under GDPR guidelines, it is stated that a time limit must be set on all data storage and that businesses may only store data until they have fulfilled their purpose, then it must be erased or destroyed.