The General Data Protection Regulation (GDPR) is a new piece of EU-wide legislation, designed to help consumers take control of their personal data, which will mean organisations will need to review their data storage in order to protect their customers. We have written previously about the GDPR, put in place by the European Commission. Delving deeper than our general overview to explore the ways in which it will affect call recording, this guide details how to prepare for the legislation.
The new GDPR is deployed across the EU and replaces the individual data protection laws of each country. This includes UK businesses while the UK remains in the EU and if they have customers in the EU after Brexit’s expected completion date of March 2019. The confusion added by Brexit is clear from the responses to Adestra and Econsultancy’s survey, shown below. Threats of sizeable fines for non-compliance mean that a clear and actionable strategy is essential.
Many are not sure about the impact of Brexit on GDPR. Source: Adestra
The UK’s most recent data protection act, which concerns call recording, dates back to 1998. As recorded conversations have the potential to contain a host of personal information, ranging from names and addresses to financial details, via religious beliefs and medical records, call recording is classified as a form of data processing. The Data Protection Act 1998 requires any recordings to be stored securely, with appropriate measures taken to prevent breaches.
Depending on how a recorded call is going to be used, the law can require businesses to inform the individuals concerned, detailing how and why this is taking place. The message that is often played at the beginning of a call made to a contact centre, stating that the call is being recorded for training purposes, covers this requirement and those of other laws such as the Regulation of Investigatory Powers Act 2000 and the Human Rights Act 1998. In this way, tacit consent to the conversation being recorded is assumed if the caller continues with the call after the statement has been heard.
The aims of the GDPR are closely aligned with existing UK data protection legislation: data security, the protection of privacy, and ensuring consumers can give informed consent to the processing of their data are all paramount. The change that companies need to accommodate is the requirement to actively justify the capture of conversations and the processing of personal information. GDPR goes above and beyond existing laws, putting consumer rights above those of organisations and stating six situations in which call recording is deemed lawful:
Only one of these conditions needs to be met in order to justify recording the call. For organisations in certain industries, these conditions will easily be met due to sector-specific regulations. Financial institutions are required by law to record all calls that lead to a transaction so would meet condition 3, whereas recording the calls to emergency services would meet condition 5 as this is in the interests of public protection.
Scenario 6 perfectly encapsulates the sentiment of the GDPR: where in the past business interests were valued equally with those of the individual, now these are subverted by the interests of the consumer. Companies that record calls for training purposes or to gain an insight into the behaviour of their customers may find it difficult to justify that these interests outweigh those of their customers. The only remaining option is to gain the consent of the caller and meet condition 1.
Under the GDPR, tacit consent is no longer enough. The new legislation aims to create a culture of proactive compliance, or a ‘Principle of Accountability’, that will see businesses creating their own call recording policies – including detailing measures that will be taken to obtain consent and keep recordings secure.
Where data protection was once largely reactive, advances in technology and the increasing threat of cyber attacks means that attitudes need to change. The GDPR is an opportunity to review company practices and come up with new ways of putting customers first. With consumer data such a valuable asset, data protection that is communicated to customers clearly and honestly will see businesses differentiate themselves. At a time when cybersecurity is of great concern to consumers, a guarantee that personal data is being protected – particularly when it is highly sensitive personal information – will be an advantage over their competitors.
With new legislation being added all the time, companies must be ready to adapt to shifting regulations. Investing CapEx in legacy solutions that may be obsolete in the near future can lead to problems. Finding a service that can adapt to new laws along with the organisation itself is essential. With Dubber’s native cloud architecture, call recording can be scaled on-demand to adapt to changing requirements. Additionally, Dubber is built on the cloud infrastructure of Amazon Web Services, who have a team of security specialists that are working to ensure that their customers across Europe are fully prepared for the new regulations.
The GDPR should inspire businesses to review their data protection and set themselves apart from other organisations in their industry. Those that invest in compliance solutions that can keep data securely stored as a company grows will differentiate themselves from others in the market who have not kept up to date with changing attitudes. These companies will not only benefit from an increased market share but from a growing store of valuable data that they can mine for information.