The new EU General Data Protection Regulation (commonly referred to as GDPR) came into effect on May 25, 2018, meaning that small businesses still face a big challenge to ensure compliance.
GDPR is an EU-wide legal framework governing the collection and storage of, and access to, personal data, with the primary aim of giving control back to citizens, residents and customers. Despite Brexit, UK businesses will still be subject to the new rules, and will continue to be so if they have customers in the EU.
Perhaps the most complex and confusing areas of the new rules concern the recording and storage of telephone calls. Call recording is classified as a form of ‘data processing’, as it can include name and addresses, and personal information, such financial or health information. It now falls under the GDPR rules.
This is a clear challenge for businesses. Where do you start? Here are 5 points to consider in getting your call recording strategy GDPR compliant, and remaining so. Importantly, we will be expanding on each point in future blogs:
- Active consent – All callers must offer their consent to be recorded. This can be achieved in different ways. The most common ways are oral acceptance during the call, consent after receiving a message, or as part of a customer agreement.
- Delete the data – How long the recording is stored for depends on its purpose, and should be communicated to the caller at the time (see above). But it is then the responsibility of the organisation recording the call to delete the data at the specified time.
- The right to greater access to personal data – This was a major change brought about by GDPR; greater access to stored personal data. Customers and employees may require electronic access to the data stored on them, and it is the obligation of the organisation to make this information available without delay.
- The right to be forgotten – “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay....”. This means that organisations MUST delete someone’s personal data without delay if the data is no longer necessary in relation to the purpose of the recording. NOTE: ‘The right to be forgotten’ does not override legal and compliance obligations such as MiFID II.
- Easy access to recordings – All stored data that can be used to identify an individual, including recorded calls, must be easy to locate and distinguishable from the data of other individuals.
The Touch solution
Touch can provide a ‘health check’ and system verification of all your existing call recording solutions. We have over 7 years’ experience of working with banks, financial advisors, stockbrokers, traders, hedge funds, and insurance companies, and ensuring that their call recording services are compliant with all relevant legislation. We provide a status report with recommendations to help you achieve compliance with GDPR.
The Touch service captures electronic communications from more than 35 different solutions, including all mobile and fixed calls, as well as web-based communications such as Skype. It´s a complete solution that ensures you meet all regulations and obligations relevant to GDPR. In turn, it allows you to focus on growing your business, and removes the headache of GDPR compliance. Touch also supports MiFID II which became active from January 3, 2018.
Stayed tuned! In future blogs, we will expand on these 5 obligations and considerations to ensure that you know exactly what you need to do to comply with GDPR. Start today! Contact us.