On May 25th, 2018 the EU-wide ‘General Data Protection Regulations’ (GDPR) will come into effect. If you are recording phone calls, for any reason, the new legislation affects you.
Historically, call recording in the UK falls under legislation outlined in the ‘Data Protection Act 1998’. That’s due to the likelihood of call recording to capture personal information such as names, addresses, bank & financial details, health & family info, religious beliefs etc. The DPA expects businesses to inform all parties in a call that they are being recorded, and also to tell them what the recording will be used for. Other legislation (RIPA 2000 and HRA 1998), strengthens the need for notification and consent – but in practice, consent is assumed, as long as callers are informed and given the choice to opt-out.
Under GDPR, things change. Businesses now need to notify all parties that they are being recorded, and gain their consent. There is also a requirement to adequately protect stored data (i.e. recordings) from misuse.
The main difference with the GDPR over DPA, is that it strengthens the rights of the individual over the rights of the business. Organisations wanting to record calls will be required to ‘actively justify legality’ by demonstrating that the recordings meet any of the following six processing conditions:
- All parties in the call have given consent to be recorded.
- Recording is necessary to fulfil a contract.
- Recording is necessary to fulfil a legal requirement.
- Recording is necessary to protect the interests of one or more of the call participants.
- Recording is in the public interest, or necessary for the exercise of official authority.
- Recording is in the legitimate interests of the recorder, unless those interests are overridden by the interests of the participants in the call.
Some of these conditions apply to certain sectors only, for example number three applies to businesses in the Financial Services sector that are required by the FCA to record all calls leading up to transactions. Number five would apply to Emergency and Security services in the interest of protecting the public and being held accountable.
For most businesses however, including those that use call recording for monitoring service levels, or staff training, conditions one or six will need to be met. Because the ‘legitimate interests’ of a business to evaluate customer service can’t usually be put above the interests of personal privacy under GDPR, for most call recording scenarios, consent must be given by all parties in the call for recording to take place. And assumed consent is no longer enough. ‘Explicit consent’ to record calls will be required. Note that this applies to your own staff, not just those who call or are called by them. It is also significant that the recording of any ‘private’ calls made by your staff on your business phone system can be in breach of both DPA and GDPR due to the information recorded not being used for its specified purpose or not being justified by one of the ‘processing conditions’.
The GDPR will put an obligation on organisations to formally demonstrate compliance through an adequate policy (similar to a ‘Health & Safety’ policy). Data Protection policies will become a statutory compliance document rather than a recommended option. Businesses wanting to record calls will have to create a call recording policy, outlining the following:
- Which of the six processing conditions they believe apply and why
- Details of the processes used to obtain consent from all parties in a call
- Details of methods used to stop/prevent calls being recorded
- And the measures in place to protect the recordings from misuse
Fines of up to 4% of turnover can be levied for major breaches (for example non-disclosure of recording, or failure to adequately protect data), and penalties of 2% for less serious offences.
The good news is there is time still to create your policy, and set-up processes for explicit consent. That said, there isn’t much time… so now would be an excellent time to get cracking.
About VTSL
VTSL is a leading VoIP business phone system provider in the UK & Ireland, specialising in hosted telephony solutions for medium sized businesses. VTSL’s solutions allow businesses to work smarter and faster, with integrations for CRM systems, email, browsers and more. Offering low per user monthly billing, and bespoke solutions for all clients, it is no wonder VTSL was chosen as the Best Business VoIP Provider by ITSPA. Learn more by calling 020 7078 3200 today or by clicking here for a free consulation and quote.