A fully equipped Call Centre, direct from the cloud, get started today
Unlimited call recording to help you manage compliance and performance
Bring your teams together with our collaboration features, including video calls and video conferencing.NEW
Mostly inbound calls?
Choose a low-cost monthly licence fee and simply pay as you go for the calls you make
Outbound calls to different places?
Get 2,000 outbound minutes per user/ month and one inbound number per user
Covers international calls to over 45 countries including:
Contact centers and customer service departments in any business have to consider legal requirements when recording calls. That’s not surprising but since the European Union’s General Data Protection Regulations (GDPR) came into effect, the landscape of call recording has changed. The relationship between call recording and GDPR compliance can be tricky to navigate, so here’s what you need to know.
Call recording is a form of data processing since the recordings often contain personal or sensitive information. Customers may give their PIN numbers, address, financial, or health information over the phone. Companies capture all that information when recording calls. It means call recording must comply with specific rules outlined in the GDPR.
Unlike regulations in other countries, the GDPR provides strict guidelines on how and when calls may be recorded, obtaining consent from customers, and storing the recorded calls. The GDPR aims to unite the existing laws and regulations across EU member states, so businesses have a central source of reference. It intends to strengthen the rights of EU citizens and help them control the information businesses have about them.
GDPR applies to the export of personal data outside the EU and applies to any business that processes data of EU citizens, even if your company is not located within the EU borders. That last bit is pretty important to remember. If you think you don’t need to comply with GDPR as you’re located in another country, think again.
Your business needs to comply with GDPR if you:
While there are exceptions for small businesses that meet certain criteria, most companies have to adhere to GDPR if they have any dealings with EU citizens or handle their data.
GDPR changes the rules significantly when it comes to obtaining consent from callers for recording calls. You’re probably familiar with the message at the start of a call saying ‘this call will be recorded for training purposes.’ If the caller continues to stay on the line and does not hang up, the company assumes they have consented. This is what is known as implied consent.
Under GDPR, implied consent is no longer sufficient. Under the regulations, companies need to obtain consent explicitly and only after informing the caller about the reason. So a business should state the reason for recording calls and provide a way for the caller to consent. Most organizations will ask the caller to press a number to give consent and another to decline recording.
Prior to GDPR going into effect in 2018, businesses could simply state that recording is done for training purposes – or anything else – even if they have no intention of using it in that manner. A company may simply want to review recorded calls for customer feedback or compliance, even if the stated reason is different.
In the post-GDPR world, organizations cannot do that anymore. Any call you record should meet one of the following conditions:
A quick review of the conditions reveals that call recording is absolutely permitted and not prohibited under GDPR. It is a means to ensure companies do not run roughshod over individual rights when collecting personal data. After all, you don’t have to worry about losing customer data if you never had it in the first place. It also frees up businesses from wasting resources collecting data when you don’t need it.
The purpose of recording calls satisfies the question of why a business needs to do it in the first place. But the GDPR also insists on companies making it clear about when, where, and how calls are recorded. So if your contact center has integrated landlines, VoIP, mobile devices into a single system, then you need to comply with GDPR requirements at all points throughout.
It is no longer sufficient to obtain consent or state call recording purpose on landlines but ignore mobile devices. If your staff is handling customer calls on any platform, then you are required to inform callers about recording the call as usual.
Most businesses have focussed on the changes to obtaining consent and purpose of call recording as they are the most important components of GDPR compliance. It’s easy to forget that the legislation accounts for other factors related to call recording such as the right to access data, the right to be forgotten, how long companies can keep recordings and how to protect the data from theft or loss.
The GDPR states that customers have the right to access their personal data stored by any business. This rule applies to recorded calls as well. So if one of your customers requests access to their call recording, you must fulfill it within 30 days. In practical terms, your organization should have the ability to search for and retrieve particular calls when required. You cannot just put all the collected calls into a server and forget about it.
The GDPR also ensures that customers have the right to be forgotten i.e they can ask a company to delete all their stored data. Once again, call recordings come under the definition of personal data for this purpose. Once such a request comes in, the business has to comply and delete the data securely.
However, a business need not delete the data if:
From a business perspective, any solution you use to store recordings should have the ability to completely and securely delete them at any time.
Over the last decade, companies have witnessed the increased media scrutiny on security breaches and the potential loss associated with data theft. Accordingly, the GDPR also has compliance requirements when it comes to data protection and retention.
Call recordings must be stored securely and businesses should ensure proper access controls are in place. There should be physical and technical safeguards for data security and privacy. You should assess the risks associated with hackers, malicious insiders, and even careless employees and take measures accordingly.
Additionally there are provisions relating to how long businesses can store and retain the call recordings. Once the original purpose for which it was collected is fulfilled, companies must securely delete them.
Some organizations may balk at the cost or effort involved but the potential loss of customer data is too risky to ignore. The GDPR only requires that companies take reasonable measures to provide adequate safety and does not mandate a 100% perfect security landscape.
So what does all this mean for your business? Any solution you implement should have the following capabilities:
This sounds like an enormous and costly undertaking but it need not be. There are several solutions on the market that can cater to GDPR requirements. The hard part is finding a vendor who will provide the service you need at a price you can afford.
What happens if you don’t comply or fail to deploy adequate measures? The fines for non-compliance or violations can be extremely steep. The GDPR has provision to fine up to 4% of a company’s annual turnover or 20 million EUR whichever is greater. Now that is definitely not a small amount for most organizations.
So make sure that your solution covers all the bases and leaves you free to focus on what’s important: your customers.
Contact voipstudio.com for more information about call recording and GDPR Compliance.
Start a free 30 day trial now, no credit card details are needed!
Thousands of businesses across the world trust VoIPstudio for all of their most vital business communications. Why not be the next?
Thousands of businesses across the world trust VoIPstudio for all of their most vital business communications. Why not be the next?
Start a free 30 day trial now, no credit card details are needed!