In May 2018, new data protection laws will come into force across Europe. This blog looks specifically at how this new legislation will affect you, if you record your telephone calls.
The EU- wide General Data Protection Regulations (GDPR) will come into force in May 2018, replacing all national data protection laws in the member states. This will affect any business or entity who holds or processes the personal data of EU citizens.
As the Brexit process will not have been completed by this date and for UK businesses to continue to conduct business with Europe, it would be good practice to ensure that your processes and procedures comply with this new legislation.
The purpose of these changes is to ensure that organisations collect, record and use personal data in a compliant and diligent way that protects the rights of individuals, as they conduct their business operations.
What Changes will occur under the GDPR?
The main principles behind the GDPR are similar to those already in place within UK legislation, for instance, the expectation to protect privacy, notification and consent and the requirements to adequately protect stored data from misuse, however the main difference with the GDPR will be that it gives individuals, or data subjects, increased ownership and control over their personal data assets and to encounter a more simplified level of accessibility for the acquisition, use and storage of their personal data.
- All data formats will be regulated by the GDPR – audio, video, photographs, IP addresses, device IDs and cookies, are all covered by the regulation
- From a Business or Entity’s perspective, there will now be a requirement to appoint a Data Protection Officer (DPO)*
- There will be a need to conduct routine Privacy Impact Assessments (PIAs) to regularly monitor exposure to risk **
- Privacy must be built-in to data processing and handling procedures.
- There will now be the need to provide increased transparency through the mandatory reporting of security and confidentiality breaches to regulators and those affected within specified timeframes
- The GDPR gives regulators the right to impose substantial fines for non-compliance – up to 4% of global turnover
Key Points to consider
There are now enhanced rights for individuals:
GDPR – an individual’s rights
- The right to be informed – the right to provide fair processing information, focusing on the need for transparency over how you use personal data
- The right of access – the right to obtain confirmation that their data is processed, access to their personal data and other supplementary information
- The right to rectification – the right to have personal data rectified if it is inaccurate or incomplete
- The right to erasure – the right to have personal data erased and to prevent processing in specific circumstances
- The right to restrict processing – the right to suppress processing of personal data
- The right to data portability – the right to obtain and reuse their personal data for their own purposes across different services
- The right to object – the right to object to processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority, direct marketing, and processing for purposes of scientific/historical research and statistics
- Rights in relation to automated decision making and profiling – safeguards individuals against the risk that a potentially damaging decision is taken without human intervention
There is now an increased importance in obtaining consent to hold and process data and this consent may be withdrawn by the data subject at any time. There will also be a “Principle of Accountability” that will place the onus on the Business or Entity to demonstrate compliance formally, which will force data protection elements to be more process driven and strategically applied throughout all aspects of the Organisation, in the form of policies and procedures.
Businesses wishing to record data, including telephone calls, will be required to actively justify legality, by demonstrating the purpose fulfils any of six conditions:
- The people involved in the call have given consent to be recorded
- Recording a call is necessary for the fulfilment of a contract
- Recording is necessary for fulfilling a legal requirement
- The call recording is necessary to protect the interests of one or more participants
- The call recording is in the public interest or necessary for the exercise of official authority
- Recording is in the legitimate interests of the entity or Business, unless those interests are overridden by the interests of the participant in the call
Some of these conditions will apply specifically to certain uses of call recording solutions in certain sectors, which could dovetail within their own specific compliance related and legislative requirements and industries.
- Numbers 3, 4 and 5 would be relevant for the majority of organisations and entities, including FCA regulated entities, Police investigations, Fire, Police and Emergency Services and Security Sectors
- Number 2 may be relevant for outsourced Contact Centres and Customer Service Centres
- For organisations that utilise call recording for quality and best practice purposes, No. 1 and No. 6 are relevant
The Legitimate interests of a Business to evaluate customer service levels are not likely to outweigh the interests of personal privacy under the new regulations, so realistically that only leaves gaining consent.
Under GDPR, assumed consent will not be satisfactory, explicit consent to record calls will be required.
Another point to consider is that if your organisation universally records all calls and employees are authorised to use the telephone for personal use, any private calls on these lines is in breach of DPA rules and will also breach the GDPR, so ensure that a non-recorded line is available, or ensure that all private calls are made on their own Mobile phones.
Accountability Principle of GDPR
The new accountability principle stipulates that a Business or Entity has a responsibility to demonstrate that they comply with the principle by:
- Implementing appropriate technical and organisational measures that ensure and demonstrate they comply
- Maintain relevant documentation on processing activities
- Implement measures that meet the principles of data protection by design and default
- That you adhere to approved codes of conduct and/or certification schemes
This would mean that Businesses who use call recording would need to draw up specific policies and procedures around how this will occur and how they will gain consent from participants, as well as outline which of the processing conditions they believe applies.
Under the GDPR, failure to demonstrate this could result in substantial penalties and fines of up to 4% of turnover for major breaches, and 2% for less serious breaches.
What should I do to get ready for GDPR?
- Carry out a thorough audit of call recording practices
From the notifications given to how recordings are stored. This should of course be done as part of a wider spectrum of audit that can consider all aspects of data protection for the entire Business, and not only around call recording.
- Consider factors like how data breaches could occur, how they could be identified
- Conduct an impact assessment, and ensure that all personnel are properly trained and onward coaching and education programmes occur, for continual improvement
Based on these outcomes, policies and procedures can be drawn up that will give you adequate time to prepare, share and monitor your Data Protection policies, to allow you to fine tune it and adapt it so that it becomes a mature Business-Wide process by the May 2018’s deadline.
References: ICO Overview of the General Data Protection regulation (GDPR) document.
& Preparing for the General Data Protection Regulation (GDPR): 12 steps to take now V2.0 20170525
Notes
*Under the GDPR, you must appoint a data protection officer (DPO) if you:
- are a public authority (except for courts acting in their judicial capacity)
- carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
- carry out large scale processing of special categories of data or data relating to criminal convictions and offences
You may appoint a single data protection officer to act for a group of companies or for a group of public authorities, taking into account their structure and size.
Any organisation is able to appoint a DPO. Regardless of whether the GDPR obliges you to appoint a DPO, you must ensure that your organisation has sufficient staff and skills to discharge your obligations under the GDPR.
** The GDPR makes privacy by design an express legal requirement, under the term ‘data protection by design and by default’. It also makes PIAs – referred to as ‘Data Protection Impact Assessments’ or DPIAs – mandatory in certain circumstances.
A DPIA is required in situations where data processing is likely to result in high risk to individuals, for example:
- where a new technology is being deployed
- where a profiling operation is likely to significantly affect individuals; or
- where there is processing on a large scale of the special categories of data
If a DPIA indicates that the data processing is high risk, and you cannot sufficiently address those risks, you will be required to consult the ICO to seek its opinion as to whether the processing operation complies with the GDPR. You should therefore start to assess the situations where it will be necessary to conduct a DPIA. Who will do it? Who else needs to be involved? Will the process be run centrally or locally?
Guest Blog by Sarah-Jane Heber-Hall, Director at ComputerTel
To view our list of call recording providers see our market guide directory.
