5 minute read |

Call recording and GDPR: what must you do to comply?

VoIP phone service background

Contact centers and customer service departments in any business have to consider legal requirements when recording calls. That’s not surprising but since the European Union’s General Data Protection Regulations (GDPR) came into effect, the landscape of call recording has changed. The relationship between call recording and GDPR compliance can be tricky to navigate, so here’s what you need to know.

Call recording and GDPR

Call recording is a form of data processing since the recordings often contain personal or sensitive information. Customers may give their PIN numbers, address, financial, or health information over the phone. Companies capture all that information when recording calls. It means call recording must comply with specific rules outlined in the GDPR.

Unlike regulations in other countries, the GDPR provides strict guidelines on how and when calls may be recorded, obtaining consent from customers, and storing the recorded calls. The GDPR aims to unite the existing laws and regulations across EU member states, so businesses have a central source of reference. It intends to strengthen the rights of EU citizens and help them control the information businesses have about them.

Who should follow GDPR?

GDPR applies to the export of personal data outside the EU and applies to any business that processes data of EU citizens, even if your company is not located within the EU borders. That last bit is pretty important to remember. If you think you don’t need to comply with GDPR as you’re located in another country, think again. 

Your business needs to comply with GDPR if you:

  • Process data relating to EU citizens even if you are located elsewhere.
  • If you offer goods and services to EU citizens, even if you don’t ask for or collect payment for them.
  • Monitoring behavior within EU borders.

While there are exceptions for small businesses that meet certain criteria, most companies have to adhere to GDPR if they have any dealings with EU citizens or handle their data.

Call recording and GDPR: Consent

GDPR changes the rules significantly when it comes to obtaining consent from callers for recording calls. You’re probably familiar with the message at the start of a call saying ‘this call will be recorded for training purposes.’ If the caller continues to stay on the line and does not hang up, the company assumes they have consented. This is what is known as implied consent.

Under GDPR, implied consent is no longer sufficient. Under the regulations, companies need to obtain consent explicitly and only after informing the caller about the reason. So a business should state the reason for recording calls and provide a way for the caller to consent. Most organizations will ask the caller to press a number to give consent and another to decline recording.

Call recording and GDPR: Purpose

Prior to GDPR going into effect in 2018, businesses could simply state that recording is done for training purposes – or anything else – even if they have no intention of using it in that manner. A company may simply want to review recorded calls for customer feedback or compliance, even if the stated reason is different. 

In the post-GDPR world, organizations cannot do that anymore. Any call you record should meet one of the following conditions:

  1. All participants have consented to the recording for one or more stated and specific reasons
  2. The recording is needed to fulfill a contract and the caller is party to it
  3. Call recording is necessary to fulfill a legal obligation on the part of the business
  4. The company can show that recording is needed to protect the interests of one or more participants
  5. Recording the call is in the public interest or is necessary to exercise official authority
  6. Call recording is in the interest of the business, provided it does not override the interest of the caller when there is a need to collect personal data

A quick review of the conditions reveals that call recording is absolutely permitted and not prohibited under GDPR. It is a means to ensure companies do not run roughshod over individual rights when collecting personal data. After all, you don’t have to worry about losing customer data if you never had it in the first place. It also frees up businesses from wasting resources collecting data when you don’t need it.

Call recording and GDPR: When, where, and how

The purpose of recording calls satisfies the question of why a business needs to do it in the first place. But the GDPR also insists on companies making it clear about when, where, and how calls are recorded. So if your contact center has integrated landlines, VoIP, mobile devices into a single system, then you need to comply with GDPR requirements at all points throughout. 

It is no longer sufficient to obtain consent or state call recording purpose on landlines but ignore mobile devices. If your staff is handling customer calls on any platform, then you are required to inform callers about recording the call as usual.

GDPR: What else do you need?

Most businesses have focussed on the changes to obtaining consent and purpose of call recording as they are the most important components of GDPR compliance. It’s easy to forget that the legislation accounts for other factors related to call recording such as the right to access data, the right to be forgotten, how long companies can keep recordings and how to protect the data from theft or loss.

Right to access data

The GDPR states that customers have the right to access their personal data stored by any business. This rule applies to recorded calls as well. So if one of your customers requests access to their call recording, you must fulfill it within 30 days. In practical terms, your organization should have the ability to search for and retrieve particular calls when required. You cannot just put all the collected calls into a server and forget about it.

Right to be forgotten

The GDPR also ensures that customers have the right to be forgotten i.e they can ask a company to delete all their stored data. Once again, call recordings come under the definition of personal data for this purpose. Once such a request comes in, the business has to comply and delete the data securely.

However, a business need not delete the data if:

  • The stated purpose is not yet fulfilled
  • It would violate any state or federal laws
  • It is necessary to defend legal claims or establish legal rights
  • The data is necessary to exercise the right of freedom of expression or information
  • It is needed for archiving in the public interest.  

From a business perspective, any solution you use to store recordings should have the ability to completely and securely delete them at any time.

Data protection and retention rules

Over the last decade, companies have witnessed the increased media scrutiny on security breaches and the potential loss associated with data theft. Accordingly, the GDPR also has compliance requirements when it comes to data protection and retention. 

Call recordings must be stored securely and businesses should ensure proper access controls are in place. There should be physical and technical safeguards for data security and privacy. You should assess the risks associated with hackers, malicious insiders, and even careless employees and take measures accordingly. 

Additionally there are provisions relating to how long businesses can store and retain the call recordings. Once the original purpose for which it was collected is fulfilled, companies must securely delete them

Some organizations may balk at the cost or effort involved but the potential loss of customer data is too risky to ignore. The GDPR only requires that companies take reasonable measures to provide adequate safety and does not mandate a 100% perfect security landscape.

Call recordings and GDPR-compliant solutions

So what does all this mean for your business? Any solution you implement should have the following capabilities:

  1. Obtain explicit consent from callers
  2. Clearly state the intended purposes of the call recording
  3. Store recorded data securely
  4. Easily access and retrieve particular call recording when needed
  5. Securely delete recorded calls when a customer asks for it
  6. Be reasonably secure against external and internal security risks

This sounds like an enormous and costly undertaking but it need not be. There are several solutions on the market that can cater to GDPR requirements. The hard part is finding a vendor who will provide the service you need at a price you can afford.

What happens if you don’t comply or fail to deploy adequate measures? The fines for non-compliance or violations can be extremely steep. The GDPR has provision to fine up to 4% of a company’s annual turnover or 20 million EUR whichever is greater. Now that is definitely not a small amount for most organizations. 

So make sure that your solution covers all the bases and leaves you free to focus on what’s important: your customers.

Contact voipstudio.com for more information about call recording and GDPR Compliance.

Ready to get started with VoIPstudio?

Start a free 30 day trial now, no credit card details are needed!

Thousands of businesses across the world trust VoIPstudio for all of their most vital business communications. Why not be the next?

Thousands of businesses across the world trust VoIPstudio for all of their most vital business communications. Why not be the next?

Start a free 30 day trial now, no credit card details are needed!