Our Blog

GDPR – What are your data deletion obligations?

The General Data Protection Regulation (GDPR) has radically altered the way personal data is collected, processed and stored by data controllers and processors.

One of the more challenging aspects of the new regulation is that of deleting data, whether at the expiry of an agreement or contract, or as part of a ‘right to erasure’ request, previously known as ‘the right to be forgotten’. Of course, as voice call recordings are considered to be data processing, they also fall under this remit.

Under GDPR, data controllers and processors are obliged to return or delete all personal data after the end of services, or on expiry of a contract or agreement, unless it’s necessary to retain the data by law.

The bill also includes the right to be forgotten – also known as ‘right to erasure’ – whereby individuals can demand that their data is deleted if it's no longer necessary for the purpose it was collected, or there is no ‘compelling’ reason for its continued processing.

They can also demand that their data is erased if they've withdrawn their consent for their data to be collected, or object to the way it is being processed. The controller is responsible for telling other organisations to delete any links to copies of that data, as well as the copies themselves.

The right to erasure does not provide an absolute ‘right to be forgotten’. Individuals have a right to have personal data erased and to prevent processing in specific circumstances:

· Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.

· When the individual withdraws consent.

· When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.

· The personal data was unlawfully processed (in breach of the GDPR).

· The personal data has to be erased in order to comply with a legal obligation.

So, if just one of these conditions applies, it is the responsibility of the data controller to delete and remove data and recorded calls ‘without undue delay’, and specifically within a month, barring exceptional circumstances.

Of course, this may still require new systems and processes to be put in place, which can be disruptive and costly, and comes with a certain amount of risk.

Alternatively, Touch offers a cloud-hosted service that provides compliant-ready, secure, reliable storage and deletion of all recorded calls, without any CAPEX required.

An easy-to-use web-interface offers advanced search and retrieval capabilities. Hierarchical-based protection ensures that access rights are restricted and permission levels can be applied. Call recordings are searchable by time, telephone number and name, which means that they can easily be found and deleted whenever a right to erasure request is achieved. So what are you waiting for? Get in touch to find out how we can continue to ease your GDPR headache.

Written on 14 November 2017
Stay in touch...
  • Linkedin
  • Twitter
  • blog