Contact us +44 800 524 4440 Support Downloads Demo Search
Why VoIPstudio?
Why voipstudio?
Rocket
It’s a complete business phone system

VoIPstudio is an award-winning cloud telephony service that’s been designed for businesses like yours
VoIP integrations
It has lots of integrations

VoIPstudio fits right in with your most important apps and CRMs to simplify your workflow
VoIP calls
It’s easy to use and cost-effective

Business telephones don’t have to be complicated or expensive. We’ve made VoIPstudio in a different way
Customers
Our customers think we’re excellent

Check out the case studies and reviews to see what our customers have to say about the service we provide
try it for free! See the demo
features
Features
Headphones
A complete Call Centre

A fully equipped Call Centre, direct from the cloud, get started today
VoIP call recording
Call recording

Unlimited call recording to help you manage compliance and performance
VoIP collaboration
Collaboration

Bring your teams together with our collaboration features, including video calls and video conferencing.NEW
Information
Virtual Switchboard

Manage your calls in real-time with drag and drop call control
Global connections
Virtual numbers

Thousands of cities, millions of numbers to choose, geo and non-geographic
Business phone support
40+ Advanced call control features

Build IVR systems, complex routing and manage calls
try it for free! See the demo
Pricing
pricing plans
Pay as you go

Mostly inbound calls?
Choose a low-cost monthly licence fee and simply pay as you go for the calls you make

$ 4.99
Per user/ month
2K Bundle

Outbound calls to different places?
Get 2,000 outbound minutes per user/ month and one inbound number per user

Covers international calls to over 45 countries including:

USA flag UK flag Canada flag Australia flag China flag German flag Spain flag
$ 16.99
Per user/ month
Call Rates and Hardware
VoIP call rates
Call rates

See the per min call rates to every country you’ll ever need to connect to
VoIP telephone numbers
Telephone numbers

Prices for the set up and maintenance of local and international numbers
Business telephones
Hardware

View our range of IP handsets and desk phones from leading vendors
try it for free! See the demo
Resources
Resources
VoIPstudio tutorial
Tutorial videos

Get some help with the basics! Watch our tutorial videos
VoIP guide
How to guides

Learn how to optimise your VoIPstudio with our helpful ‘How to’ guides
VoIP blog business
Our blog

Read our latest thoughts on the telecoms industry and technology
Business communications case studies
White papers

Learn more about business telephone systems and everything VoIP
VoIP business case studies
Case Studies

Thousands of happy customers! Here’s what they have to say
VoIP business FAQ
FAQs

Got a question? We’ve probably already answered it!
try it for free! See the demo
Try it for 30 days!
Why voipstudio?
Why voipstudio?
Features
Features
pricing, call rates, hardware
pricing, call rates, hardware
Resources
Resources
Start 30 day free trial

No credit card required – 200 min. free calls

Customer Support Menu IconCustomer SupportArrow Menu Icon

Talk to Sales Menu IconTalk to SalesArrow Menu Icon

Contact Us Menu IconContact UsArrow Menu Icon

Sign Up Free
5 minute read |

Call recording and GDPR: what must you do to comply?

VoIP phone service background
VOIPSTUDIO

Contact centers and customer service departments in any business have to consider legal requirements when recording calls. That’s not surprising but since the European Union’s General Data Protection Regulations (GDPR) came into effect, the landscape of call recording has changed. The relationship between call recording and GDPR compliance can be tricky to navigate, so here’s what you need to know.

Call recording and GDPR

Call recording is a form of data processing since the recordings often contain personal or sensitive information. Customers may give their PIN numbers, address, financial, or health information over the phone. Companies capture all that information when recording calls. It means call recording must comply with specific rules outlined in the GDPR.

Unlike regulations in other countries, the GDPR provides strict guidelines on how and when calls may be recorded, obtaining consent from customers, and storing the recorded calls. The GDPR aims to unite the existing laws and regulations across EU member states, so businesses have a central source of reference. It intends to strengthen the rights of EU citizens and help them control the information businesses have about them.

Who should follow GDPR?

GDPR applies to the export of personal data outside the EU and applies to any business that processes data of EU citizens, even if your company is not located within the EU borders. That last bit is pretty important to remember. If you think you don’t need to comply with GDPR as you’re located in another country, think again. 

Your business needs to comply with GDPR if you:

  • Process data relating to EU citizens even if you are located elsewhere.
  • If you offer goods and services to EU citizens, even if you don’t ask for or collect payment for them.
  • Monitoring behavior within EU borders.

While there are exceptions for small businesses that meet certain criteria, most companies have to adhere to GDPR if they have any dealings with EU citizens or handle their data.

Call recording and GDPR: Consent

GDPR changes the rules significantly when it comes to obtaining consent from callers for recording calls. You’re probably familiar with the message at the start of a call saying ‘this call will be recorded for training purposes.’ If the caller continues to stay on the line and does not hang up, the company assumes they have consented. This is what is known as implied consent.

Under GDPR, implied consent is no longer sufficient. Under the regulations, companies need to obtain consent explicitly and only after informing the caller about the reason. So a business should state the reason for recording calls and provide a way for the caller to consent. Most organizations will ask the caller to press a number to give consent and another to decline recording.

Call recording and GDPR: Purpose

Prior to GDPR going into effect in 2018, businesses could simply state that recording is done for training purposes – or anything else – even if they have no intention of using it in that manner. A company may simply want to review recorded calls for customer feedback or compliance, even if the stated reason is different. 

In the post-GDPR world, organizations cannot do that anymore. Any call you record should meet one of the following conditions:

  1. All participants have consented to the recording for one or more stated and specific reasons
  2. The recording is needed to fulfill a contract and the caller is party to it
  3. Call recording is necessary to fulfill a legal obligation on the part of the business
  4. The company can show that recording is needed to protect the interests of one or more participants
  5. Recording the call is in the public interest or is necessary to exercise official authority
  6. Call recording is in the interest of the business, provided it does not override the interest of the caller when there is a need to collect personal data

A quick review of the conditions reveals that call recording is absolutely permitted and not prohibited under GDPR. It is a means to ensure companies do not run roughshod over individual rights when collecting personal data. After all, you don’t have to worry about losing customer data if you never had it in the first place. It also frees up businesses from wasting resources collecting data when you don’t need it.

Call recording and GDPR: When, where, and how

The purpose of recording calls satisfies the question of why a business needs to do it in the first place. But the GDPR also insists on companies making it clear about when, where, and how calls are recorded. So if your contact center has integrated landlines, VoIP, mobile devices into a single system, then you need to comply with GDPR requirements at all points throughout. 

It is no longer sufficient to obtain consent or state call recording purpose on landlines but ignore mobile devices. If your staff is handling customer calls on any platform, then you are required to inform callers about recording the call as usual.

GDPR: What else do you need?

Most businesses have focussed on the changes to obtaining consent and purpose of call recording as they are the most important components of GDPR compliance. It’s easy to forget that the legislation accounts for other factors related to call recording such as the right to access data, the right to be forgotten, how long companies can keep recordings and how to protect the data from theft or loss.

Right to access data

The GDPR states that customers have the right to access their personal data stored by any business. This rule applies to recorded calls as well. So if one of your customers requests access to their call recording, you must fulfill it within 30 days. In practical terms, your organization should have the ability to search for and retrieve particular calls when required. You cannot just put all the collected calls into a server and forget about it.

Right to be forgotten

The GDPR also ensures that customers have the right to be forgotten i.e they can ask a company to delete all their stored data. Once again, call recordings come under the definition of personal data for this purpose. Once such a request comes in, the business has to comply and delete the data securely.

However, a business need not delete the data if:

  • The stated purpose is not yet fulfilled
  • It would violate any state or federal laws
  • It is necessary to defend legal claims or establish legal rights
  • The data is necessary to exercise the right of freedom of expression or information
  • It is needed for archiving in the public interest.  

From a business perspective, any solution you use to store recordings should have the ability to completely and securely delete them at any time.

Data protection and retention rules

Over the last decade, companies have witnessed the increased media scrutiny on security breaches and the potential loss associated with data theft. Accordingly, the GDPR also has compliance requirements when it comes to data protection and retention. 

Call recordings must be stored securely and businesses should ensure proper access controls are in place. There should be physical and technical safeguards for data security and privacy. You should assess the risks associated with hackers, malicious insiders, and even careless employees and take measures accordingly. 

Additionally there are provisions relating to how long businesses can store and retain the call recordings. Once the original purpose for which it was collected is fulfilled, companies must securely delete them

Some organizations may balk at the cost or effort involved but the potential loss of customer data is too risky to ignore. The GDPR only requires that companies take reasonable measures to provide adequate safety and does not mandate a 100% perfect security landscape.

Call recordings and GDPR-compliant solutions

So what does all this mean for your business? Any solution you implement should have the following capabilities:

  1. Obtain explicit consent from callers
  2. Clearly state the intended purposes of the call recording
  3. Store recorded data securely
  4. Easily access and retrieve particular call recording when needed
  5. Securely delete recorded calls when a customer asks for it
  6. Be reasonably secure against external and internal security risks

This sounds like an enormous and costly undertaking but it need not be. There are several solutions on the market that can cater to GDPR requirements. The hard part is finding a vendor who will provide the service you need at a price you can afford.

What happens if you don’t comply or fail to deploy adequate measures? The fines for non-compliance or violations can be extremely steep. The GDPR has provision to fine up to 4% of a company’s annual turnover or 20 million EUR whichever is greater. Now that is definitely not a small amount for most organizations. 

So make sure that your solution covers all the bases and leaves you free to focus on what’s important: your customers.

Contact voipstudio.com for more information about call recording and GDPR Compliance.

Ready to get started with VoIPstudio?

Start a free 30 day trial now, no credit card details are needed!

Thousands of businesses across the world trust VoIPstudio for all of their most vital business communications. Why not be the next?

Thousands of businesses across the world trust VoIPstudio for all of their most vital business communications. Why not be the next?

Start my trial! Take a 30 day free trial

Start a free 30 day trial now, no credit card details are needed!