The General Data Protection Regulation (GDPR) came into effect on May 25, 2018, and impacts any organisation that either controls or processes the personal data of customers and citizens. Those that fail to comply or suffer data breaches can now be hit with a fine of up to a maximum of €50 million (or 4% of annual turnover, whichever is highest).
One of the main changes, and most complex and confusing area, of the new rules was the recording and storage of telephone calls and multichannel data communications. Such communications are considered to be ‘data processing’ as they are likely to contain personal information, from names and addresses to dates of birth and, even, health and financial data.
In our recent series of blogs, Touch has covered some of these aspects in broader terms, but the next set of blogs will each focus in more detail on a specific area of the rules. In this blog, we cover: Active Consent.
The basic concept of consent is not new. However, GDPR sets a higher standard for consent, which means that many organisations that collect personal data, such as contact and call centers, need to change their practices and policies to meet this raised bar.
The GDPR changes mainly reflected the fact that consent should be an on-going dynamic relationship between the customer and the organisation. It is no longer a case of ‘ticking boxes’, rather a positive ‘opt in’ is required, with customers also retaining the right to have their data deleted at any point, dependent on any contract or agreed terms and conditions.
GDPR also reflects existing concepts of consent, in that it should be freely given, specific, informed, and there must be some signification of the agreement. However, GDPR also goes one step further in that it now requires a clearer indication that the consent is unambiguous and needs to include a clear, affirmative agreement. Failing to ‘opt out’ is not considered to be ‘consent’.
In practice, it means that it must be made clear to customers or citizens up front that the call or communication is being recorded. They should also be clear about what they are agreeing to. So this may be an oral ‘yes’ at the beginning of, or during, a call, or equally written in customer agreements, or via a voice message with a ‘yes’ or ‘no’ option.
Furthermore, customers and citizens retain the ‘right to be deleted’, so they should be made aware of how they can achieve that, and it must be made easy for them to withdraw their consent at any time – unless specified or required to provide a specific service or to meet contractual obligations.
In summary, active consent under GDPR, requires the following:
1. Consent requests must be separate from other terms and conditions, and should not be a precondition of signing to a service, unless it’s absolutely necessary for that service.
2. Consent must be a positive opt in, with the option to say ‘yes’ or ‘no’ i.e. no pre-ticked boxes.
3. If possible, customers should be given the option to agree, or disagree, with the different ways their data will be processed – for example, they may agree to your company using them, but not a third party.
4. Any organisation using and processing the data should be named.
5. It is essential to keep records of what each customer has agreed to, which should be easily retrievable, and deleted at the expiry of any contract, or on customer request, if appropriate.
Put simply, GDPR has a significant impact on the recording, processing and storing of personal data, which in turn requires many organisations to adopt new practices and policies around ‘active consent’.
Touch has been helping multinational financial institutions to meet MiFID requirements, and our cloud-based call recording and storage service is already GDPR compliant. If you have any questions about GDPR, or would like to discuss your on-going challenges with us, please get in touch. We can help to take the strain from you.