What are the top eight things you need to know to ensure compliance with GDPR requirements for call recording services
What are the top eight things you need to know to ensure compliance with GDPR requirements? Call recording and GDPR are closely linked, and the regulations require that organisations can provide data security and privacy, as well as the ability to meet data access and right to be forgotten requests.
The General Data Protection Regulation (GDPR) not only requires the recording of call and digital conversations, but also requires organisations to be able to meet other capabilities, such as data access rights, right to be forgotten, security and privacy. Find out how Touch Call Recording Service can help.
The General Data Protection Regulation (GDPR), which came into force on 25 May 2018, is one of the toughest privacy and security laws in the world. It applies strict data privacy protection and processing rules to any organisation that collects or processes data from EU citizens, even if that organisation is outside Europe, and carries harsh penalties for those that are non-compliant.
It means that any personal data collected over fixed or mobile phone calls, or any of the other multiple channels that organisations communicate with, must be recorded and stored securely. But there are other crucial requirements that organisations must meet from a privacy and security perspective, including an individual’s right to access the data that a company holds on them, the right to be forgotten (i.e., to have that data deleted on request), and the right to have that data securely stored. To achieve all of this, also requires organisations to be able to provide an audit log in the event of a dispute.
While it sounds daunting, Touch Call Recording Service is a managed service that ensures complete GDPR compliance for recording programmes for organisations, without the need for time-consuming and risky software or hardware deployments. Here, we outline how Touch Call Recording Service meets some of the more complex requirements of GDPR in the context of call recording.
Right to access
GDPR provides consumers, citizens, and employees with the right to see what data an organisation holds on them – this is known as ‘right to access’. Put simply, GDPR obliges organisations to be transparent about their data processing methods. In addition, it sets a time limit on how long organisations have to respond to a subject access request (SAR). Article 15 of GDPR also stipulates a number of further personal rights, including (but not limited to):
- The purposes of the processing.
- The categories of personal data concerned.
- Where possible, the envisaged period for which the personal data will be stored.
To ensure organisations can comply with these requests, Touch Call Recording Service provides a function called \"External access to files\", fully controlled by the customer (via dedicated admins), which allows citizens and employees to access their call recording via streaming over a controlled web- interface. The \"External access to files\" function provides access to a selected number of recordings. All playbacks are logged, with access time limited. No files are stored on the end-customer’s computer. It means that employers and organisations fulfil their GDPR requirement, while ensuring rights of individuals.
Access control
Article 5 (Integrity and Confidentiality) of GDPR also requires that any individual’s data is safeguarded from unauthorised access. To support these requirements, the Touch Call Recording Service can be configured to meet the needs of any organisation, with separate accounts for each team, department, or unit. Recordings from one unit are kept separate from others. Our solution offers role-based user accounts with different access rights. For example, an Administrator or Compliance Officer might be able to access company / country individual data, while the Group Administrator / Group Compliance Officer can access everything, and the Team leader can only access their own team and end-user recordings. The user access is configured exactly according to your needs and can differ accordingly.
GDPR deletion
GDPR requires that data is not stored for a longer period than necessary – GDPR Article 5 (Storage limitation). Touch Call Recording Service offers completely flexible storage/ retention options, with the deletion of data fully controlled by the customer. However, we also support automatic deletion after a specified retention period, for example after 5 years, as regulated in MiFID for financial companies. GDPR also requires individuals can request that their data is deleted. Touch Call Recording Service has a dedicated function for a ‘right to be forgotten’ data deletion request.
Strong encryption and secure storage
GDPR also requires that data to be kept in a secure manner (under GDPR Article 5, Integrity and Confidentiality). Touch Storage Centre is a part of Touch Call Recording Service and is used for the secure retention of all types of digital communication.
Our storage centres are geo-redundant and, for security reasons, isolated from the Touch Web-Portal – which is used to manage all recordings and related data. Our Web Portal can be accessed from the internet but sits in a ‘de-militarised zone’, with only authorised personnel able to access stored data. Touch employees have no access to customer data or recordings. All data is encrypted and locked.
Database integrity and database audit
Our database assures the integrity of stored data and provides full traceability for database operations. Any administrator or authorised user must login into the Touch Web-Portal and can only interact with the database via the use of stored procedures containing predefined SQL statements. The actual query (type of query and search parameters) is logged in the database, together with the specific session ID referring to that individual’s web account. Database audits are enabled for all database operations performed by the database administrator.
Data Encryption
Touch Storage Centre encrypts all recorded files. Our encryption model complies with ETSI TR 102 661, Annex C: Protection of Retained Data (RD). A two-stage encryption algorithm is applied immediately to all data before it’s stored. First, the algorithm creates a new, random secret key for each data file. The cryptographic algorithm used for the symmetric encryption is AES and the key length is 256 bits. Second, the secret key is encrypted with an RSA asymmetric encryption algorithm with a key length of 2,048 bits.
The encrypted, secret key is then stored in the database together with a reference to the encrypted data file. Importantly, no content is stored in the database (only metadata) – the encrypted recordings are stored as files on a disk, and a cryptographic checksum of the data contents is stored in the database. This checksum is then used to verify the integrity of the data.
WORM compliant
The Touch Call Recording Service is WORM-compliant (Write-Once-Read-Many), which prevents editing, overwriting, or renaming of data – this is also required for compliance regulations such as SEC Rule 17a-4. WORM means that the data written to the storage media is immutable. No changes can occur. A file can be read as many times as necessary, but it cannot be overwritten, deleted, or modified in any way.
A locking function is used to safeguard recordings before the expiry of any legally required retention period. The locking period is set for each individual account. Locking periods define how long a particular item must be held in a WORM state. When the locking period expires, the item is eligible for deletion. According to SEC rules, for example, retention periods can be lengthened but never shortened. The service can be configured to deleted recordings when the retention period expires.
Another standard compliance requirement that accompanies WORM is redundancy. Touch Storage Centre is located at two different geographically separate data centres – a Production Site and a geographically separate Disaster Recovery Site. All data and files are replicated to the Disaster Recovery Site.
Audit logs
GDPR requires that the data controller must ensure that data is only used for the original purpose. (GDPR Article 5, Accountability). Touch Call Recording Service offers audit logs that record all activity in the Web Portal, including search, playback, whitelisting, and so on.
Conclusion
In conclusion, Touch Call Recording Service covers all bases of the GDPR, including right to access, right to be forgotten, and the high-level security requirements demanded. It means we can take the GDPR headache for call recording away from you, without the need for any software or hardware deployments. To find out more, contact us today.
Ensuring compliance call recording with Microsoft Teams
MS Teams is an integral component of many organisations’ daily operations meaning that it must adhere to compliance obligations – this is particularly important when it comes to call recording policies. Leaving it to users to turn on call recording does not meet compliance requirements. What’s needed is a fully integrated call recording solution for MS Teams.
Always-on versus on-demand call recording: Which should I use?
Choose between on-demand and always-on call recording for a truly flexible solution that grows with your business.
There are a multitude of reasons for recording calls and digital communications, including compliance obligations, dispute resolution, audit purposes, and agent training and improvement, to name a few. Likewise, there are different ways to record calls, such as always-on, on demand delete, or on demand keep, and each is more suited to certain roles and tasks.
