With the deadline for compliance fast approaching, questions surrounding the new General Data Protection Regulation (GDPR) continue to abound. In this article, James Slaney, co-founder of Dubber, discusses the role GDPR will play in the call recording industry.
The GDPR aims to inspire “privacy by design and default” and give individuals, including smart phone users, bank and insurance customers and NHS patients, a far bigger say in the way their personal data will be processed and stored.
To prepare for the new EU-wide legislation organisations will be forced to review their data storage to ensure their customers are protected. For organisations that record calls with customers, there are considerations that need to be made to ensure compliance with the GDPR.
Communication capture: Is tacit consent enough?
Recorded conversations have the potential to get personal. Personal information shared over the phone can include topics as far ranging as religion and medical records as well as addresses and bank details.
Call recording is therefore seen as a form of data processing and current legislation under the Data Protection Act 1998 requires any recordings to be stored securely, with appropriate measures taken to prevent breaches.
Depending on how a recorded call is going to be used, the current law requires businesses to inform the individuals concerned that this data is going to be captured: this is often conducted via a recorded message at the start of a conversation. This familiar statement indicating that “calls may be recorded for training purposes” meets the requirements of the Regulation of Investigatory Powers Act 2000 and the Human Rights Act 1998. If a caller continues with the call their silent agreement is considered enough consent to proceed. Active agreement is currently not required and tacit consent is therefore assumed.
How is the lie of the land changing?
The aims of the GDPR are closely aligned with existing UK data protection legislation: data security, the protection of privacy, and ensuring consumers can give informed consent to the processing of their data are all paramount.
The change that companies will need to prepare for is the requirement to actively justify the capture of conversations and the processing of personal information. Currently tacit consent to a warning message is enough to allow data capture to legally take place: with the new GDPR this will no longer be the case.
GDPR goes above and beyond existing laws, putting consumer rights above those of organisations and stating six conditions under which call recording is deemed lawful:
1. The people involved in the call have given consent to be recorded
2. Recording is necessary for the fulfilment of a contract
3. Recording is necessary for fulfilling a legal requirement
4. Recording is necessary to protect the interests of one or more participants
5. Recording is in the public interest, or necessary for the exercise of official authority
6. Recording is in the legitimate interests of the recorder, unless those interests are overridden by the interests of the participants in the call
Only one of these conditions needs to be met in order to justify recording the call.
For organisations in certain industries, these conditions will easily be met due to sector-specific regulations. For example, financial institutions are required by law to record all calls that lead to a transaction so would meet condition three, whereas recording the calls to emergency services would meet condition five as this is in the interests of public protection.
Scenario six is the condition that best encapsulates the sentiment of the GDPR: where in the past business interests were valued equally with those of the individual, now these are subverted by the interests of the consumer. Companies that record calls for training purposes, or to gain an insight into the behaviour of their customers, may find it difficult to justify that these interests outweigh those of their customers. The only remaining option is to gain the consent of the caller and meet condition number one.
How can you prepare your company for the new bill?
With new legislation being added all the time, companies must be ready to adapt to shifting regulations. Investing CapEx in legacy solutions that may be obsolete in the near future can lead to problems. Finding a service that can adapt to new laws along with the organisation itself is essential.
The GDPR should inspire businesses to review their data protection and set themselves apart from other organisations in their industry. Those that invest in compliance solutions that can keep data securely stored as a company grows will differentiate themselves from others in the market who have not kept up to date with changing attitudes. These companies will not only benefit from increased market share, but from a growing store of valuable data that they can mine
for information.