How GDPR Affects Call Recording – Everything You Need to Know
On May 25 this year, the General Data Protection Regulation (GDPR) came into force. But this is only the beginning, as organizations will need to make sure that everything they implement from now on complies with the new regulation.
Even though GDPR is now in effect, many organizations are still trying to determine what their obligations are under the new rules (if you’re still unclear whether your call center is GDPR compliant or not, then hurry up and make sure you check out our GDPR checklist for call centers!).
Perhaps one of the most confusing areas of the new rules – which is causing headache for many businesses – remains the handling, processing, and maintaining of recorded calls. As we all know, call recording is a common call center practice, with many benefits to a call center. But when it comes to recording agent calls, are you sure that your call center is playing by the rules?
In this article, we’ll discuss how the new legislation affects call recording, and how you can ensure that your call center is processing call recording in accordance with these new rules.
Call recording under GDPR
As we already went through in a previous article, the main aim of GDPR is to strengthen data protection across the EU, while giving people more control over how organizations can use their personal data. In fact, although you might not think so, voice files are considered personal data as they can include personal information, such as the caller’s name, address or financial information. As a result, call recording is classified as a form of ‘data processing’, and falls under the new rules covered by GDPR.
Although call recording was already classified as a form of “data processing” under the Data Protection Act of 1998 (DPA), GDPR brought some significant changes to the table, and call centers will definitely need to take them into consideration if they plan to continue recording their calls.
Under DPA, tacit consent was assumed as long as customers were informed about the purpose of the recording, and were given the option to opt out. Under GDPR, however, the consent of the individual to be recorded can now not simply be assumed. As a result, the often-used “calls are recorded for training purposes” messages will no longer be enough to gain consent to record agent calls.
With GDPR in force, call centers need to ensure that customers give specific and unambiguous consent to be recorded. Furthermore, organizations will need to justify that their purpose for recording calls fulfills one of the conditions below:
- Individual(s) involved in the call have given their consent to be recorded (oral acceptance during the call, consent after receiving a message, or consent as part of a customer agreement)
- Recording is required to fulfill a contract to which the individual is a party
- Recording is required to fulfill a legal obligation to which the recorder is subject
- Recording is required to protect the interests of one or more participants
- Recording is in the public interest
- Recording is in the recorder’s interest unless those interests are less important than the interests of the individuals in the call
As GDPR is now in force, we trust that your company already ensured that your customer calls recording are running as outlined above. But unfortunately, that doesn’t mean that your work ends there. Besides gaining specific consent from customers, call centers – and organizations as a whole – need to be able to recall any audio files on request, and provide customers with requested personal information within one month of the request.
Furthermore, under GDPR, companies are now required to delete customers’ personal data upon request – known as the ‘right to be forgotten’. As a result, all data – including recorded calls – must be easily available, and if a call center is unable to deliver or delete data within the requested time frame, it could lead to heavy penalties for the organization.
In contrast, many call recording solutions, typically encrypt all information in a call, thus making deleting calls from them costly in terms of time and effort. As such, in order to be able to make recorded calls easily accessible, the implementation of technology tools able to handle these demands is an absolute must.
In addition, once you have a top-notch technology solution in place, don’t forget to educate your staff about GDPR. Addressing GDPR on these two fronts will make all the difference.
GDPR clearly represents a significant challenge for any call center. However, if you play by the rules, you can be sure that your call center will still be able to benefit from data collected via call recording while remaining compliant with the new legislation.