GDPR & Recording calls
The new General Data Protection Regulations (GDPR) take effect from 25th May 2018. This new wide-ranging set of regulations impacts many of the ways in which data is stored as well as the way in which data (including call recordings) is handled.
The current law requires businesses to inform the individuals concerned that call recording data is going to be captured. This is often informed to the caller via a recorded message at the start of a conversation. “Your call may be recorded for monitoring, training and security purposes
With the introduction of GDPR, this “silent agreement” will no longer be treated as valid consent. After the introduction of GDPR on the 25th May 2018 consent can only be given via explicit agreement.
Additionally, when recording has commenced, the caller may withdraw their consent, meaning that you must be able to stop a previously started recording and ensure the recording does not get stored (permanently deleted)
When can you record a call?
GDPR goes above and beyond existing laws, putting consumer rights above those of organisations and stating six conditions under which call recording is deemed lawful:
1. The people involved in the call have given consent to be recorded
2. Recording is necessary for the fulfilment of a contract
3. Recording is necessary for fulfilling a legal requirement
4. Recording is necessary to protect the interests of one or more participants
5. Recording is in the public interest, or necessary for the exercise of official authority
6. Recording is in the legitimate interests of the recorder unless those interests are overridden by the interests of the participants in the call
For organisations in certain industries, these GDPR call recording conditions will easily be met due to sector-specific regulations. For example, financial institutions are required by law to record all calls that lead to a transaction so would meet condition three.
Scenario six is the condition that best encapsulates the sentiment of the GDPR. Where in the past business interests were valued equally with those of the individual, now these are subverted by the interests of the consumer. Companies that record calls for training purposes, or to gain an insight into the behaviour of their customers, may find it difficult to justify that these interests outweigh those of their customers.
The only remaining option is to gain the consent of the caller and meet condition number one.
It is also significant that recording of any ‘private’ calls made by your staff on your business phone system, can be in breach of both DPA and GDPR due to the information recorded not being used for its specified purpose and/or it not being justified by one of the ‘processing conditions’.
What needs addressing?
In short, businesses will need to address the GDPR on two fronts:
Training & Behaviour: Policies and protocols need to be spread across the organisation to ensure all staff are aware of the changes.
Technology: Solutions for storing audio files safely will be required within the business to keep on top of the calls being made and ensure they are protected from misuse.
Create a call recording policy
Businesses who record their calls will also need to create a call recording policy, outlining (broadly & not restricted to); which of the six processing conditions they believe apply and why, detailing the process[es] to obtain consent from all parties in a call, detail of method[s] used to stop/prevent call being recorded and, what measures are in place to protect the records from misuse.
How can Vivi help?
Using our GDPR-compliant hosted VoIP telephone system you can specifically define the justification for call recording, the opt-in process and control all elements of the call recording in terms of the prompts heard by all parties.
Staff members handling a call have full control over the state of call recording based on permissions granted to them in the recording profile, with the ability to start, pause, resume and stop call recording being available via our star services *7.
We store all call recordings in our own data centre facilities and use the highest strength encryption available. When you are required to delete a call recording, doing so in our portal ensures there are no stray copies of the data.
Obtaining explicit consent is the key to getting it right.
This would mean that for every call, your staff would be required to verbally ask for consent, and then also have procedures in place for when consent is not given.
However, for incoming calls, there may be another solution.
1) Customer calls in to your office and the call is greeted by your usual auto attendant / IVR (If applicable)
2) A new Auto attendant / IVR level is added which may say something like “At ABC company we monitor and record calls for training and security purposes . To consent to this call being recorded press 1, if you still want to talk to us but do not provide consent to the call being recorded press 2”.
3) The caller presses 1 and hears: “Thank you, you have consented to have your call recorded” and is placed in the call queue.
4) When answering the call your staff member then hears a call whisper “The caller has consented to call recording”,
5) Call is connected and being recorded, with your staff member having full control over the future state of call recording.
If the caller declines to give consent for call recording they hear a prompt such as: “You have declined to have this call recorded. Unfortunately we will be unable to discuss financial matters with you, please hold and we will answer your call as soon as possible”.
When answering the call your staff member will hear a call whisper “The caller has declined to call recording” which will prompt them to stop the call being recorded by simply dialling *7.
Our GDPR compliant call recording system records the call from the outset, so any menu options selected by the caller, as well as any call prompts on the caller’s side will be recorded. This solution ensures that you keep within the GDPR guidelines for call recording and all that you need to do is make sure that any callers that decline the consent to record are not recorded any further (by dialling *7) and immediately deleted via the portal.
If you receive a GDPR complaint
You must be able to provide a robust response to any kind of complaint against the process of your call recording.
A call recording that is stored should have all evidence backing up the justification for the call recording as well as clear and absolute evidence of the consent being granted. The actual prompts played will need to be versioned for that call, or the consent must be audible within the recording.
The process of withdrawing consent needs to be catered for, either by request of the caller or by the agent who has identified the recording of the call is no longer necessary.
This requires input from the staff member for controlling the state of recording. As part of this, they should have the ability to pause recordings and resume them if the conversation lies within an area where the justification for call recording does not cover, or another regulation overrules (for example PCI-DSS when taking card payments over the phone).
The right to be forgotten
If a customer invokes their right to be forgotten, you need to be able to identify calls made to or from that customer and have the ability to permanently remove unwanted call recordings.
Searching for calls from particular telephone numbers is simple using the portal – you just enter the phone number into the search box (do this for both inbound and outbound) and all calls saved that bear this phone number are displayed, allowing you to individually delete these.