The General Data Protection Regulation came into force in May 2018 across Europe, which means all national data protection laws will be replaced.
A huge amount of businesses use and rely on call recording as a key tool within their business. The GDPR is set to have a massive impact on call recording. And the rules and regulations surrounding this area can seemingly be confusing and frustrating for business owners.
The effects of the GDPR are set to strengthen the rights of individuals when it comes to businesses collection, recording and using their personal data. Which places a greater requirement for companies to demonstrate their compliance. As well as, increasing penalties for companies who do not comply.
The Law previously
Currently, call recording is classified as a form of data processing. The Data Protection Act states that individuals must be informed and aware that they are being recorded and why they are being recorded.
This is because recorded calls are of the potential to capture:
- Personally identifiable information such as, names and addresses
- Sensitive information such as, banking, financial, health, family, religious details etc. The Data Protection Act also, sets outs rules for the correct handling of data, which requires any calls recorded to be stored securely with steps to be taken to avoid breaches.
With regards to call recording, the key changes under the new GDPR are the expectations to protect privacy, notification and consent. As well as, the requirement to adequately protect stored data from misuse.
The main difference is that the GDPR strengthens the rights of the individual over the rights of an organisation.
Businesses wishing to record calls will be required to actively justify legality. By demonstrating that the purpose meets any of the six conditions:
- The people involved in the call have given consent to be recorded.
- A recording of a call is necessary for the fulfillment of a contract.
- Recording is necessary for fulfilling a legal requirement.
- The call recording is necessary to protect the interests of one or more participants
- The call recording is in the public interest or necessary for the exercise of official authority.
- Recording is in the legitimate interests of the recorder, unless those interests are overridden by the interests of the participant in the call.
Demonstrating your Compliance
Along with the new GDPR comes a new ‘Principle of Accountability’ which puts a requirement on organisations to demonstrate their compliance. Data protection policies will soon become a statutory compliance document, rather than a recommended option. Therefore, businesses wishing to record calls will be required by law to draw up a specific call recording policy. This should outline the processing conditions that they believe apply and the reasons why. In addition, it should detail how they will go about things such as, obtaining consent from participants and measurements in place to protect recordings from misuse.
If a business does not comply they face penalties. And the penalties from the regulations are stringent. Fines of up to a four per cent turnover will be issued for major breaches. This may include non-disclosure of recording, or failure to protect data. There will also be penalties for less serious breaches- with up to two per cent of turnover.
Getting GDPR Ready
Although, the UK is set to leave the EU in March 2019, you still need to be GDPR ready…
- The government will bring the GDPR into UK law.
- The GDPR still applies to any organisation doing business in the EU!
The GDPR came into full force in May 2018. However, experts have estimated it can take up to and over 6 months for businesses to get ready. GMA recommend that if you are unsure whether you are GDPR ready, you should carry out a thorough audit. GMA’s GDPR Health Checks assess risk, impact and awareness. From an audit, polices and protocols can be drawn up to give you plenty of time to make sure you are ready for GDPR. Contact us today to get your audit.